At the Intel Security Conference last week I attended a presentation by Ming Chow on Abusing HTML 5. This sparked of some research on my part on the persistent storage API’s that the W3C is promoting.
I started with a deep dive into the Web SQL Database, which I felt was most risky implementation and a good target for SQL and Command injection attacks. However, it seems that the W3C is not going forward with the recommendation of using Web SQL Database. Though the functionality is still available to Webkit Layout engine used by several browsers, Google Chrome, Opera and Safari. This also means that mobile devices which utilize Webkit could use the capability. It also turns out that Webkit can be used in IE as an add-in, so theoretically the Web SQL Database API functionality could be available in IE as well.
More information on Web SQL Database:
http://www.w3.org/TR/webdatabase/
http://en.wikipedia.org/wiki/Web_SQL_Database
http://en.wikipedia.org/wiki/Comparison_of_layout_engines_(HTML5
http://www.roughlydrafted.com/2009/09/25/google-sneaks-webkit-html-5-support-into-internet-explorer/
More Research:
Since Web SQL Database was being deprecated I started researching the risks of IndexedDB and Web Storage API for client side persistent storage.
For IndexedDB See section 7 for the currently identified risks of using IndexedDB API. http://www.w3.org/TR/IndexedDB/ Currently only supported in Firefox and is actively being standardized by the W3C. Some Support in other layout engines but expect support to grow as specification matures.
For Web Storage see section 7 of the specification http://www.w3.org/TR/webstorage/#security-storage On top of the risks outlined in the specification also consider that race conditions can exist and can be exploited (At least at the current implementation of the standard, see warning at top of specification).
Risk mitigation strategies:
• Do not use Web SQL Database API, it has been deprecated.
• Treat data coming from IndexDB and Web Storage as untrusted as it could have been corrupted by a malicious user / application.
• Be aware of Race conditions when using Session Storage.
Potential future research area:
• Since SQLite seems embedded in the browsers see if the new API allow previous SQLite bugs to be used: http://www.cvedetails.com/vendor/9237/Sqlite.html
• Mozilla Firefox stores all Web Storage objects in a single file named webappsstore.sqlite. The sqlite3 command can be used to show the elements stored therein
• Drive by install of WebKit in IE using XSS?
o Everyone trusts Google right?
• Develop an exploit using Web SQL Database to gain access to system resources.
o It’s going to be around for a long time.
Tuesday, November 22, 2011
Friday, November 11, 2011
My Take on SharePoint Customization / Complexity
Here is my take on SharePoint Customization / Complexity. What do you think?
Friday, April 15, 2011
Getting the Display value of a variable reference field
Getting the Display value of a variable reference field
On occasion there is need to get the display value of reference variable.
There are two ways to accomplish this first is make the call back to the server and query the table.
The second and more efficient way is to use get display box function of g_form.
Thanks to Mark Stanger for this pointer.
On occasion there is need to get the display value of reference variable.
There are two ways to accomplish this first is make the call back to the server and query the table.
The second and more efficient way is to use get display box function of g_form.
var refFieldDispVal = g_form.getDisplayBox('the reference field').value;
Thanks to Mark Stanger for this pointer.
Adding a Reference Field to a UI Page
The following code is required to add a reference field to a UI Page. Note this does have type ahead on it as well.
This example references the sys_user table and only returns accounts which are active and not locked out.
To use this code add it to the html section of the ui_page.
This enables the use of a reference field when custom forms are required.
This example references the sys_user table and only returns accounts which are active and not locked out.
To use this code add it to the html section of the ui_page.
<j:set var="jvar_user_query" value="QUERY:active=true^locked_out=false" />
<input id="user_query" type="hidden" value="${jvar_user_query}" />
<g:ui_reference name="${jvar_user_query}" table="sys_user" />
This enables the use of a reference field when custom forms are required.
JavaScript Code Snippet: Find and Replace all
Here is a JavaScript code snippet for a find and replace all.
This example code finds if there is an instance of three dashes in the string and replaces with three spaces.
This example code finds if there is an instance of three dashes in the string and replaces with three spaces.
if(str.indexOf('---') != -1){
str = str.replace(/---/g,' ');
}
Monday, February 21, 2011
New Photo Viewer
I've been playing with a new JQuery Photo Viewer control called Cloud Carousel written by Professor Cloud
This new control has helped me learn about image resizing as well, which has helped me shrink the size of the banner image improving performance.
Check out my Gallery here: http://dalecox99.com/Fun%20Stuff/photos.aspx
On the Photo Page I created a new master page that give the maximum view window to see all the photos.
I hope you enjoy the photos.
This new control has helped me learn about image resizing as well, which has helped me shrink the size of the banner image improving performance.
Check out my Gallery here: http://dalecox99.com/Fun%20Stuff/photos.aspx
On the Photo Page I created a new master page that give the maximum view window to see all the photos.
I hope you enjoy the photos.
Tuesday, January 25, 2011
Silverlight Unit Testing Framework
I have to admit I haven’t dug into a lot of automated testing because of so much of my work being based on User Interface and asynchronous calls but I came across this Testing frame work and it looked pretty interesting as it simulates the user environment including the asynchronous capabilities, http://www.jeff.wilcox.name/2009/03/asynchronous-testing/ .
Friday, January 7, 2011
Excel Cell Formating
A little reference Gem about formatting cell values, related to my post about Exporting to Excel.
On occasion the format of the Cell will need to be specified. In my case I needed to preserve leading zeros on the record.
Evidently I don’t know the right search terms to find out where this is documented but after a rather long search I found that to get the text format I needed to use cell.NumberFormat = "@";
Many Thanks to today4me over at dreamincode.net http://www.dreamincode.net/code/snippet1218.htm for posting this little guide on formatting. I would have never guessed the @ symbol for the format.
On occasion the format of the Cell will need to be specified. In my case I needed to preserve leading zeros on the record.
Evidently I don’t know the right search terms to find out where this is documented but after a rather long search I found that to get the text format I needed to use cell.NumberFormat = "@";
Many Thanks to today4me over at dreamincode.net http://www.dreamincode.net/code/snippet1218.htm for posting this little guide on formatting. I would have never guessed the @ symbol for the format.
Subscribe to:
Posts (Atom)