For the past few days, I have been messing with some of the features of HTML 5:
- local storage
- Offline web applications
These features enable the development of real applications, running in the browser. It has a lot of advantages: easily updating the application, reduce the workload on the server, etc.
But it changes the way you write your code. You have to adapt the usual protection mechanisms to these changes.
Here are some thoughts about the common web application vulnerabilities.
Warning: I consider here a web application with practically no server-side code: everything executes in the browser. And I’ll use the point of view of someone attacking the application running in the browser. And I’ll be optimist enough to trust the browser…
SQL injections in servers let you access the user’s data, and access the server itself (file uploads, starting external programs, etc). With local storage and WebSQL, you won’t be able to access the host, only the data (unless there’s a browser vulnerability about that). And you can use some sort of prepared statement syntax to prevent injection. There may be a risk with key/value stores if you let the user input control the key.
Cross site scripting
This is in my opinion the biggest risk. If all the logic of your application is on the client’s side, unwanted code executing in the browser has access to everything. This one can be mitigated by filtering what will be displayed on your webpage.
Cross site request forgery
This one is not critical, unless you use locally URL parameters (don’t laugh, it has often been done and exploited in Flash applications). Be aware that an attackant could get data in local storage that way.
It really worries me that so much data can stay a long time in the user’s browser. With a database hosted on your server, if unwanted data(persistent XSS, malwares…) is stored, you can erase it, patch your website’s code, and your users will be safe.
With HTML 5, you’ll have to clean every user’s data. You can’t be sure that you have protected all your users (someone could wait 6 months before coming back to your website). And because you can’t be sure, your code has to check for each known bad data. It needs a lot of code, time and tests.
Are we screwed?
These were only quick thoughts about the vulnerabilities you could encounter with client side web applications. It is not really hard to protect the application, but you have to be very careful about what data you will trust. The good thing is, these vulnerabilities are not new: you can see them in lots of Flash applications. So, the mitigation mechanisms are well known, and easy to apply.