Web Storage Security Preso – Zach Jones - bSidesOC

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

98 εμφανίσεις











Web Storage

HTML5 is alive! (with XSS)

ZACHARY JONES

Threat Research Center Supervisor

What is Web storage?


JavaScript API that defines persistent data storage of key
-
value pair data in Web clients
.


Synchronous


Present in many JavaScript frameworks and libraries often
transparently.


Jquery


Jstorage


Gomez


Modernizer



© 2013 WhiteHat Security, Inc.

4

Web storage flavors

sessionStorage


Each top
-
level browsing
context has a unique set of
session storage areas, one for
each origin
.


Similar to cookies but not
transmitted with HTTP
requests
.


Clones and
Zombies


SOP
applies


5MB limit
*

© 2013 WhiteHat Security, Inc.

5

localStorage


Effectively one store per domain
.


Has no
expiry


Persists after browser closes and
private data cleared
.


SOP
applies


No path
restrictions


2.5 MB per origin in Google
Chrome
*


5 MB per origin in Mozilla Firefox
and
Opera


10 MB per origin in Internet
Explorer
*

*https://
github.com
/
feross
/
filldisk.js

Web storage is well supported

© 2013 WhiteHat Security, Inc.

6

Simple API

window.{
storetype
}.
setItem
(key, value
)


Stores key value pair for current
domain

window.{
storetype
}.
getItem
(key
)


Returns value

window.{
storetype
}.
removeItem
(key
)


Removes key and value from
storage

window.{
storetype
}.clear(
)


Completely clears storage for current domain

© 2013 WhiteHat Security, Inc.

7

A perfect
s
torm?

© 2013 WhiteHat Security, Inc.

8



Ways developers can misuse Web storage

Store sensitive
data or code


Not
encrypted


No Secure/HTTP only
flags


Cannot guarantee integrity


Shared
domains

Use for access control or other
logic


Admin = true cookie all over
again


Prices in shopping
carts

Write stored data to page with vulnerable JS sink
.


Evil Roommate / Public
computers


Make reflective XSS
persistent


The
Perfect Storm

© 2013 WhiteHat Security, Inc.

10

A PERFECT STORM?



The barriers

© 2013 WhiteHat Security, Inc.

14

ON THE HUNT


Minification


Concatenation


Multiple
sources


Third Party
APIs


Obfuscation



Help is on the way

© 2013 WhiteHat Security, Inc.

15

ON THE HUNT


Simple Session Detection
Addon

(FF)


https://
addons.mozilla.org
/en
-
US/
firefox
/
addon
/
simplesessiondetection
/


Foundstone

HTML5
localStorage

Explorer (FF
)


Firebug DOM Tab (FF
)


Developers Tools Resources Tab (Chrome
)


Local Storage Manager (Chrome)



Red flags

© 2013 WhiteHat Security, Inc.

17

ON THE HUNT


Absolute or relative paths in
storage


HTML in
storage


JS Code in storage



Mozilla

© 2013 WhiteHat Security, Inc.

19

THE REAL
WORLD


Take away

© 2013 WhiteHat Security, Inc.

23



Always:


Always
validate, encode, and escape user input before
placing into
localStorage

or
sessionStorage


Always validate, encode, and escape data read from
localStorage

or
sessionStorage

before writing onto the page
(DOM)
.


Always
treat
all data read from
localStorage

or
sessionStorage

as untrusted user input
.

© 2013 WhiteHat Security, Inc.

25

TAKE AWAY




QUESTIONS?

© 2013 WhiteHat Security, Inc.

28

TAKE AWAY

Thank you

ZACHARY JONES

Threat Research Center Supervisor

z
ach.j ones@whi t ehat sec.com


@HCl O4Burns