Friday 25 December 2015

HTML5 Security - Local Storage

This article walks you through a HTML5 Security feature called Local Storage and it’s security.

Local Storage:
Local Storage is one of the new features added in HTML5. It was first  introduced in Mozilla 1.5 and eventually embraced by the HTML5 specification. We can use Local Storage feature in HTML5 using the JavaScript objects localStorage, sessionStorage.

These objects allow us to store, retrieve and delete data based on name value pairs.The data processed using localStorage object persists through browser shutdowns. While data created using sessionStorage object will be cleared after the current browsing session.

One important point to note is, this storage is origin-specific. It means, a site from a different origin cannot access the data stored in application’s local database.

Let me make it clear with a simple example.
Below is a sample HTML5 application, which is capable of storing data using local storage feature. We can also retrieve the data stored in the database using “Show Data” button.

Let us first observer the origin of this site.
Let us assume that this is Application A.


So here are the details:

Name: Application A
Origin: http://localhost:8383/

Let us click Show Data button.

We are able to access the data stored by this application in the database. That is expected.

Now, let us try to access this data stored by application A from a different origin.

Let us assume that this is Application B

Here are the details:

Name: Application B
Origin: http://localhost/

Please note that, port number is different from Application A.

Let us click “Show Data” button.

When I clicked “Show Data”, there seems to be nothing displayed on the webpage. This is because; this application is running on a different origin.

Just to confirm, let us run a different application named “Application C” from the same origin as “Application A”.

Here are the details.

Name: Application C
Origin: http://localhost:8383/

Let us click “Show Data” as observe the result.

Nice! We are able to access the data from this application, since it is from the same origin as Application A.

To conclude I have used the same code in all the above examples but with different origins. We inserted data into the database using Application A. When tried accessing it from Application B it failed due to the same origin policy.

Let us now see some attacks possible with HTML5 local storage.

Storing Sensitive Data

Developers may store sensitive information in these databases. It is possible to find API keys or similar sensitive data when working with APIs due to their statelessness. We can exploit them using an XSS vulnerability if there is no physical access to the device.

Below is an example of how JavaScript’s localStorage object stores data.

We can use the function setItem with some name-value pairs as parameters.

localStorage.setItem("data", “mydata”);

As we can see in the figure below, chrome stores this data in the following path.

We can programmatically read this data using JavaScript as shown below.


We can now go ahead and read this data from the SQLite database as shown below.

Script Injection

SQLite data when not properly sanitized, may lead to script injection attacks. Let us see a simple example.

Below is the same form, which we saw in the beginning of the article.

Let us store some sample data and retrieve it back as shown below.

If this data is not properly sanitized, it will lead to stored XSS Vulnerability as shown below.

This time, let us enter the below piece of code into the message box.

<img src=’X’ onerror=alert(1);>

Let us click “Show Data” button and see the result.

As we can notice, it has popped up an alertbox due to the JavaScript we injected.

This article has discussed, how HTML5 local storage feature works and how Same Origin Policy restrictions are applied on the data being stored. Finally, we have had a look at some possible attacks on HTML5 local storage feature. We will see other HTML5 features and possible attacks in later articles.

0 comments : Post Yours! Read Comment Policy ▼
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.