HTML 5 – Persistent Offline Storage As A Risk Management Challenge
I just watched an excellent Shmoocon presentation by Michael Sutton called, “Pulling The Plug — Security Risks in Next Generation Offline Web Apps.”
His main theme is that the HTTP Cookies and Flash Local SharedObjects that developers use today are going to be relatively rapidly overtaken by HTML5’s persistent offline storage (with Gears to continue as a transitional technology). WebKit browsers already handle offline data storage today (Safari on Mac OS & iPhone, and Google Chrome).
We have all been associated with cookies as indicators of authentication as well as a “live” session. And most of us have been much nearer than we would wish to Flash and its “cookies” (LSOs). Mr. Sutton argues that is the past.
Increasing pressure to make web applications mobile friendly and/or off-line friendly, has resulted in the importance of “local” storage rapidly accelerating for an extended period. HTML5 has many new features, but persistent offline storage may have the greatest impact on financial services risk management (it may also have dramatic impacts in the Health, retail, and transportation industries as well, but those are the topics of other blogs). As more and more data persists on mobile devices, attacks against those data stores will increase.
HTML5 uses SQLite as its relational data store. Mr. Sutton highlights a key risk issue for this approach by reminding us how many applications today are vulnerable to XSS attacks, and then outlining enumeration logic for an SQLite attack:
(1) Identify Tables
SELECT name FROM sqlite_master WHERE type=’table’
(2) Identity Table Structure
SELECT sql FROM sqlite_master WHERE name=’table_name’
(3) Access and use the data
var rs = db.execute(‘SELECT * FROM __DOJO_STORAGE’);
while (rs.isValidRow()) (
data = data + (rs.field(0) + ‘#’ + rs.field(1));
data = data + ‘\n’;
Criminals will necessarily find something much more interesting for the data than our “alert”…
I strongly recommend this presentation to all security professionals. He describes a world where writing risk-appropriate applications is going to keep getting harder — much harder. And HTML5’s persistent offline storage will challenge our software architects, application designers, risk managers, marketing executives, and risk management professionals. What do you think?
The Shmoocon 2010 Schedule and Presentations: http://www.shmoocon.org/presentations.html