Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

October 2009
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Black Hat : Persistent web browser storage a risk?

By Sean Michael Kerner on February 18, 2009 4:27 PM
blackhat.jpg
From the 'do you know what your browser is storing' files:

WASHINGTON DC. With or without your knowledge your web browser is storing information that could end up leaving you at risk - maybe. That's the gist of a presentation by security researcher Michael Sutton delivered at the Black Hat conference.

Browsers today store data in a variety of ways including HTTP cookies, Flash local storedobjects and by way of Google Gears and the related HTML 5 storage specification.

With cookies Sutton discussed an attack vector called client side cross site scripting that could potentially let insecure cookies from one site read the cookies from another. Cookies have been used by browser vendors since the earliest Netscape releases and have a limited scope in terms of the amount of data that can be included.

When it comes to Flash, Flash files save data with local stored objects which are similiar in some respects to cookies and are also limited in their storage capacity.

Then there is Gears which provides a fully offline database for online web applications. Gears which began life as Google Gears is a Google technology used for offline Gmail and is also being used by several other third party vendors.
"The problem with Gears could be a data confidentiality issue," Sutton said. "Gears itself is secure but if it is implement insecurely by a site that's where the problems can occur."
Read more after the jump - including one potential attack vector for Gears.

Client-Side SQL injection (csSCLi) is a potential issue since Gears can  be controlled  by JavaScript.
"So if there is a cross site vulnerability on a website where Gears is implement you can read/write from the local client database," Sutton said.
Still there isn't a need to be overly concerned - yet.

Sutton noted that sites need to do proper user input validation to help prevent SQL injection. As well Gears market penetration is still relatively small. Sutton predicts that Gears will take off which is when the problems will start to become more apparent and widespread.
"A significant portions of sites adopting local database technologies will have injection flaws that leave them open to attack," Sutton argued. "Attack prevalence will increase in proportion to adoption."

| Comments (1) | TrackBacks (0) | Share

Tags:

0 TrackBacks

Listed below are links to blogs that reference this entry: Black Hat : Persistent web browser storage a risk?.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/7460

1 Comments

Michael Sutton said:

For those interested, a blog posting stepping through the attack outlined in the article is available at:

http://research.zscaler.com/2009/02/practical-example-of-cssqli-using.html

Michael

--
Michael Sutton
VP, Security Research
Zscaler

February 19, 2009 3:37 PM

Leave a comment