1. 改变字符大小写
2. 利用多加一些其它字符来规避Regular Expression的检查
<
3. 以其它扩展名取代.js
4. 将Javascript写在CSS档里
example:
body {
background-image: url(‘javascript.:alert("XSS");’)
}
5. 在script的tag里加入一些其它字符
6. 使用tab或是new line来规避
-> tag
-> new line
7. 使用"\"来规避
8. 使用Hex encode来规避(也可能会把";"拿掉)
原始码:
原始码:
9. script. in HTML tag
onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
10. 在swf里含有xss的code
11. 利用CDATA将xss的code拆开,再组合起来,
Cross Site Scripting(XSS)攻击手法介绍脚本安全
,电脑资料
《Cross Site Scripting(XSS)攻击手法介绍脚本安全》(https://www.unjs.com)。
]]>
12. 利用HTML+TIME。
13. 透过META写入Cookie。
14. javascript. in src , href , url