Ebay - Advertisement

Sunday, July 3, 2011

HTML 5 - XSSQL attack

Html 5 brings a lot of new features to the web. One of its features is SQLite - a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.

It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store their sensitive information such us user passwords, session ids, credit card numbers etc.
In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack - XSSQL :-) funny as well as concerning ...

Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.

HTML 5 - SQLite Example



function db1()
{

if (window.openDatabase)
var db = openDatabase('yossidb', '1.0', 'attack this db', 2 * 1024 * 1024);

db.transaction(function (tx) {
tx.executeSql('CREATE TABLE IF NOT EXISTS users (id unique, username, password)');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (1, "user1","bbbbb")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (2, "user2","password")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (3, "user3","username")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (4, "user4","another")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (5, "user5","fighter")');
//tx.executeSql('DROP TABLE users');//SELECT * FROM users
});
db.transaction(function (tx) {
tx.executeSql(sql.value, [], function (tx, results){

var len = results.rows.length, i, resultsOutputUsers="",resultsOutputPasswords="";
for (i = 0; i < len; i++) { if (results.rows.item(i).username!=null) { resultsOutputUsers = resultsOutputUsers + results.rows.item(i).username + " " resultsOutputPasswords = resultsOutputPasswords + results.rows.item(i).password + " " } document.getElementById("div1").innerHTML = resultsOutputUsers; document.getElementById("div2").innerHTML = resultsOutputPasswords; } } )}); }

1 comment:

  1. You're referring to a deprecated HTML5 feature, called WebSQL - it's currently only supported in Chrome, other browsers either didn't implement it or threw WebSQL away months ago.

    Still - it's worth documenting, here's more about WebSQL attacks:

    * http://www.andlabs.org/html5.html
    * http://code.google.com/p/html5security/wiki/WebSQLDatabaseSecurity

    ReplyDelete