HTML5 security: Local storage
In a previous article of mine, I discussed Cross Domain Messaging in HTML5. This article walks you through another feature, called local storage, and its security.
Local storage
Local storage is one of the new features added in HTML5. It was first introduced in Mozilla 1.5 and eventually embraced by the HTML5 specification.
We can use the local storage feature in HTML5 by using the JavaScript objects localStorage and sessionStorage. These objects allow us to store, retrieve and delete data based on name value pairs.
The data processed using the localStorage object persists through browser shutdowns, while data created using the sessionStorage object will be cleared after the current browsing session.
Learn Secure Coding
One important point to note is, this storage is origin-specific. This means that a site from a different origin cannot access the data stored in an application's local database.
Let me make it clear with a simple example. Below is a sample HTML5 application, which is capable of storing data using the local storage feature. We can also retrieve the data stored in the database using the "Show Data" button.
Let us first observe the origin of this site.
Let us assume that this is "Application A".
http://localhost:8383/
So here are the details:
Name: Application A
Origin: http://localhost:8383/
Let us click the Show Data button.
We are able to access the data stored by this application in the database. That is expected.
Now, let us try to access this data stored by application A from a different origin.
Let us assume that this is Application B
Here are the details:
Name: Application B
Origin: http://localhost/
Please note that the port number is different from Application A.
Let us click the "Show Data" button.
When I clicked "Show Data", there seems to be nothing displayed on the web page. This is because this application is running on a different origin.
Just to confirm, let us run a different application named "Application C" from the same origin as "Application A".
Here are the details.
Name: Application C
Origin: http://localhost:8383/
Let us click "Show Data" and observe the result.
Nice! We are able to access the data from this application, since it is from the same origin as Application A.
To conclude, I have used the same code in all the above examples but with different origins. We inserted data into the database using Application A. When we tried accessing it from Application B, it failed due to the same origin policy.
Let us now see some attacks possible with HTML5 local storage.
Storing sensitive data
Developers may store sensitive information in these databases. It is possible to find API keys or similar sensitive data when working with APIs due to their statelessness. We can exploit them using an XSS vulnerability if there is no physical access to the device.
Below is an example of how JavaScript's localStorage object stores data.
We can use the function setItem with some name-value pairs as parameters.
localStorage.setItem("data", "mydata");
As we can see in the figure below, Chrome stores this data in the following path.
We can programmatically read this data using JavaScript as shown below.
localStorage.getItem("data");
We can now go ahead and read this data from the SQLite database as shown below.
Script injection
SQLite data, when not properly sanitized, may lead to script injection attacks. Let us see a simple example.
Below is the same form we saw in the beginning of the article.
Let us store some sample data and retrieve it back as shown below.
If this data is not properly sanitized, it will lead to stored XSS Vulnerability as shown below.
This time, let us enter the below piece of code into the message box.
<img src='X' onerror=alert(1);>
Let us click the "Show Data" button and see the result.
As we can see, it has popped up an alertbox due to the JavaScript we injected.
Learn Secure Coding
Conclusion
This article has discussed how the HTML5 local storage feature works and how Same Origin Policy restrictions are applied on the data being stored. Finally, we have had a look at some possible attacks on the HTML5 local storage feature. We will see other HTML5 features and possible attacks in later articles.
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- HTML5 security: Local storage
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding