标签:
web前端如果想实现cookie跨站点,跨浏览器,清除浏览器cookie该cookie也不会被删除这似乎有点难,下面的教程让你完全摆脱document.cookie
superCookie.js:
http://beta.tfxiq.com/superCookie.js
demo:
http://beta.tfxiq.com/sc.html
服务器端设置HSTS
如PHP:
<?php header("Strict-Transport-Security: max-age=31536000; includeSubDomains
");?>includeSubDomains必不可少,因为Super Cookie要用到很多子域名(Super Cookie必备条件,最好32个)。
demo用到的子域名:*-hsts-lab.radicalresearch.co.uk 如 1-hsts-lab.radicalresearch.co.uk
,2-hsts-lab.radicalresearch.co.uk
等,demo用到32个子域名 到32-
,为什么用到这么多子域名,下面会谈到。hsts-lab.radicalresearch.co.uk
开
启或关闭HSTS
子域名设置HSTS 状态头:
https://13-hsts-lab.radicalresearch.co.uk/hsts/set/1
在浏览器里打开上面URL,如下图:
上面会有个Strict-Transport-Security的头,max-age=31436000 注意此时max-age不为0,表示HSTS开启了
再打开https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0
此时max-age=0,HSTS失效被关闭了
这个
13-hsts-lab.radicalresearch.co.uk
子域名服务器返回的不同HSTS开启状态是根据url中
https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0
标红的0/1进行输出不同的状态头的: 0关1开
服务器根据url判断HSTS输出哪种Strict-Transport-Security头
如HSTS开启:
<?php header("Strict-Transport-Security: max-age=31536000; includeSubDomains
");?>
HSTS关闭:
<?php header("Strict-Transport-Security: max-age=0; includeSubDomains
");?>
这里面还有个关键点是,开启和关闭HSTS必须要用
https协议,即在浏览器里打开的时候
https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0,协议必须是https,这跟HSTS的特性有关。
下面会有解释。
Super Cookie利用的关键点:
如果我们事先设置了第13个子域名的HSTS的状态开启了,并且在当前浏览器访问过该子域名、或者脚本动态加载过,如浏览器访问过
:
https://13-hsts-lab.radicalresearch.co.uk/hsts/set/1
http://13-hsts-lab.radicalresearch.co.uk/hsts/get
//13-hsts-lab.radicalresearch.co.uk/hsts/get
https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0 你设置
HSTS关闭,你再通过http打开该子域名下的任何资源,是不会有任何https跳转的。https://1-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://2-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://3-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://4-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://5-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://6-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://7-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://8-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://9-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://10-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://11-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://12-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://13-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://14-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://15-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://16-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://17-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://18-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://19-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://20-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://21-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://22-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://23-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://24-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://25-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://26-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://27-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://28-hsts-lab.radicalresearch.co.uk/hsts/set/0
关闭当前子域名HSTShttps://29-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://30-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://31-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttps://32-hsts-lab.radicalresearch.co.uk/hsts/set/1
开启当前子域名HSTShttp://1-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘1‘](0)
这个域名HSTS关闭,访问跳转,response没有任何结果,cb回调函数里的参数的值为0,浏览器network中你看到的是取非运算http://2-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘2‘](0)
上同http://3-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘3‘](0)
上同http://4-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘4‘](0)
上同http://5-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘5‘](0)
上同http://6-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘6‘](1)
这个域名HSTS开启,访问没有跳转,response有数据,cb回调函数里的参数的值为truehttp://32-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘32‘](1)
web前端利用HSTS(新的Web安全协议HTTP Strict Transport Security)漏洞的超级Cookie(HSTS Super Cookie)
标签:
原文地址:http://www.cnblogs.com/liuminghai/p/4423143.html