Watch out HTML5
HTML5 opens up great opportunities for web-resource developers. However, one should not forget that these opportunities open up not only for the owners of the resources, but also for various kinds of scammers. I want to share a little observation of how reckless thirst for new technologies can strike at the safety of your users.
The existing problem with the security of storing local data in HTML5 is no secret to anyone. However, for better understanding, I will remind you. HTML5 allows you to store data locally in localStorage and in WebDatabase. Access to this data is possible from Javascript. Access rights to storage are based on a combination of protocol + domain + port. It is obvious that unauthorized access to this data can be obtained by forcing the user to visit the site at the address corresponding to the protocol + domain + port we need. And place on it a javascript code that counts the data we need and sends it to the server. This can be achieved using well-proven methods:
The set of tools is very wide and, obviously, it is simply impossible to use HTML5 storage for hosting security-critical data. I was very surprised when, on a single known resource in a local database, I discovered the secret key stored there used in the authentication mechanism. "Oh," I said! But then I thought: “Probably, they assume the use of this mechanism only by HTTPS”. Yes, with HTTPS, this scheme already looks better, some of the above methods will not work (of course, on the site you would write in large letters about this). But I began to dig further and again became upset. The home page of the site contains HTTP scripts that reduce the advantages of HTTPS to zero — the key can also be stolen. It is necessary to note nevertheless that disclosure of this key does not give direct access to the resource, the key is only an addition to the password.
I suppose when developing applications on HTML5, one should be more careful in storing private data in the local repository.
The existing problem with the security of storing local data in HTML5 is no secret to anyone. However, for better understanding, I will remind you. HTML5 allows you to store data locally in localStorage and in WebDatabase. Access to this data is possible from Javascript. Access rights to storage are based on a combination of protocol + domain + port. It is obvious that unauthorized access to this data can be obtained by forcing the user to visit the site at the address corresponding to the protocol + domain + port we need. And place on it a javascript code that counts the data we need and sends it to the server. This can be achieved using well-proven methods:
- Using DNS or ARP-spoofing;
- Having access to network equipment;
- Using HoneyPot in the form of a free WiFi access point or Tor network output node;
- Using spyware.
The set of tools is very wide and, obviously, it is simply impossible to use HTML5 storage for hosting security-critical data. I was very surprised when, on a single known resource in a local database, I discovered the secret key stored there used in the authentication mechanism. "Oh," I said! But then I thought: “Probably, they assume the use of this mechanism only by HTTPS”. Yes, with HTTPS, this scheme already looks better, some of the above methods will not work (of course, on the site you would write in large letters about this). But I began to dig further and again became upset. The home page of the site contains HTTP scripts that reduce the advantages of HTTPS to zero — the key can also be stolen. It is necessary to note nevertheless that disclosure of this key does not give direct access to the resource, the key is only an addition to the password.
I suppose when developing applications on HTML5, one should be more careful in storing private data in the local repository.
')
Source: https://habr.com/ru/post/120550/
All Articles