ShmooCon: Web app storage open to attack

Get ready for client-side SQL injection attacks, one researcher warns

New forms of off-line client-side storage, such as those specified by the emerging HTML 5 set of standards, could open entirely new kinds of attacks to Web application users, said Michael Sutton, vice president of security research for cloud security firm ZScaler.

"As sites start to adopt Google Gears and HTML 5, this whole concept of stealing data from client-side relational databases will become a much, much bigger issue," said Sutton, speaking Sunday at the ShmooCon hacker conference in Washington. "In my opinion [they are] a lot easier to attack."

As ever more applications are being developed that run entirely over the Web, a number of new technologies have been introduced to put small relational databases on users' machines. A database on the client machine can store user data, allowing applications to be used while not on the Internet.

While such off-line storage extends the flexibility of Web applications, it also opens up an entirely new type of vulnerability for users, one that allows snoopers to copy and change the content of these databases, Sutton said.

Sutton examined two examples of client-side storage now gaining traction, Google's Gears and the persistent Web Storage specification in the World Wide Web Consortium's HTML 5.

Right now, only Chrome, Safari and Mobile Safari -- the iPhone browser -- support the HTML 5 storage specifications, thanks to the fact they all use the HTML 5-friendly WebKit browser engine.

Though Google is phasing Gears out in favor of HTML 5, it provides a glimpse of how HTML 5 off-site storage could work for most users, Sutton noted.

Gears is a browser plug-in that allows Web applications to work off-line. With the user's permission, the plug-in installs a copy of SQLite, a lightweight relational database, on the local machine, which applications can use to store their data.

Just as malicious hackers have harvested data from server-side databases using techniques such as SQL injection, so too could they target these client-side databases, using similar methods.

In fact, accessing the client database would be easier in many ways.

Normally with SQL injection, the attacker will not know the database structure beforehand -- the names of the tables and columns and datatypes. All that must be sussed out through multiple guesses. In contrast, someone wishing to fish through the database supplied by a social-networking service could simply download an identical copy of the database from that service, which would reveal the database structure. The attacker could then query the tables to retrieve information.

"It really is easier from the attack perspective," Sutton said.

Also, server-side SQL injection attacks rely on Web sites that do not filter malformed SQL requests coming from users. An attacker can send malicious commands to the database engine, using an input box of some sort on a Web page. Only without a filter in place will the command be executed on the database engine.

On the client side, no such elaborate technique is needed. "I don't need a vulnerability in the way a traditional SQL injection would work," Sutton said. Instead, the attacker can just issue standard SQL queries to gather information.

Gears, like the proposed HTML 5 standards, uses JavaScript library functions to access the client-side database. So the trick to steal or alter data would involve slipping into a user-viewed Web page with a JavaScript call to the database.

Of course, with Gears and HTML 5, the user's browser will restrict access to the database only to the local machine or the Web site or applications associated with the database. But Sutton mentioned several proven techniques to trick a browser into granting access to the user's databases.

The most obvious technique would be XSS (Cross-Site Scripting), in which the surreptitious query code is embedded into a link to the legitimate site, which can be sent to the user to click. If the site is not secured, the server will render the illicit code on behalf of the attacker.

Sutton noted a survey conducted by WhiteHat Security, released last November, that found that 66 percent of Web sites are vulnerable to XSS attacks.

There are other ways of fooling the browser as well. "All it matters is that my browser must believe that it is going to the site that set up the database. If I have that and I have the ability to inject JavaScript into that page, now I can query that database," he said.

The browser could be sent to a malicious copycat site by the use of DNS hijacking, for instance. Or, if the attacker could write to the local file system, say through a browser vulnerability, then the local name resolution file (such as the hosts file on Windows) could be amended with false addresses. Or, a proxy could be set up between the user and the Internet.

What sort of information will be found on client-side databases? Pretty much anything, Sutton noted. Google itself uses Gears for services such as Gmail and Google Voice. A scan of the corresponding local databases used for those services turned up for Sutton items such as the e-mail headers in Gmail and contact information in the Google Voice database.

Although now still largely theoretical, such attacks may prove to be a significant problem in the years to come. "This isn't a passive sniffing, this is active. I don't have to wait for the information that I care about, I can actually query the database," Sutton said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags html 5cloud storage

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?