At the Intel Security Conference last week I attended a presentation by Ming Chow on Abusing HTML 5. This sparked of some research on my part on the persistent storage API’s that the W3C is promoting.
I started with a deep dive into the Web SQL Database, which I felt was most risky implementation and a good target for SQL and Command injection attacks. However, it seems that the W3C is not going forward with the recommendation of using Web SQL Database. Though the functionality is still available to Webkit Layout engine used by several browsers, Google Chrome, Opera and Safari. This also means that mobile devices which utilize Webkit could use the capability. It also turns out that Webkit can be used in IE as an add-in, so theoretically the Web SQL Database API functionality could be available in IE as well.
More information on Web SQL Database:
http://www.w3.org/TR/webdatabase/
http://en.wikipedia.org/wiki/Web_SQL_Database
http://en.wikipedia.org/wiki/Comparison_of_layout_engines_(HTML5
http://www.roughlydrafted.com/2009/09/25/google-sneaks-webkit-html-5-support-into-internet-explorer/
More Research:
Since Web SQL Database was being deprecated I started researching the risks of IndexedDB and Web Storage API for client side persistent storage.
For IndexedDB See section 7 for the currently identified risks of using IndexedDB API. http://www.w3.org/TR/IndexedDB/ Currently only supported in Firefox and is actively being standardized by the W3C. Some Support in other layout engines but expect support to grow as specification matures.
For Web Storage see section 7 of the specification http://www.w3.org/TR/webstorage/#security-storage On top of the risks outlined in the specification also consider that race conditions can exist and can be exploited (At least at the current implementation of the standard, see warning at top of specification).
Risk mitigation strategies:
• Do not use Web SQL Database API, it has been deprecated.
• Treat data coming from IndexDB and Web Storage as untrusted as it could have been corrupted by a malicious user / application.
• Be aware of Race conditions when using Session Storage.
Potential future research area:
• Since SQLite seems embedded in the browsers see if the new API allow previous SQLite bugs to be used: http://www.cvedetails.com/vendor/9237/Sqlite.html
• Mozilla Firefox stores all Web Storage objects in a single file named webappsstore.sqlite. The sqlite3 command can be used to show the elements stored therein
• Drive by install of WebKit in IE using XSS?
o Everyone trusts Google right?
• Develop an exploit using Web SQL Database to gain access to system resources.
o It’s going to be around for a long time.
Tuesday, November 22, 2011
Friday, November 11, 2011
My Take on SharePoint Customization / Complexity
Here is my take on SharePoint Customization / Complexity. What do you think?
Subscribe to:
Posts (Atom)