ilev Posted May 12, 2010 Share Posted May 12, 2010 New HTML Version Comes With Security Risks Of Its Own : http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224701560 Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors. Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]." Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer. HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says. Link to comment Share on other sites More sharing options...
Elliott Posted May 12, 2010 Share Posted May 12, 2010 Yes and no. Yes, SQL injection is possible. However, I don't see how this could be an attack vector of any sort. It's just for local storage of your data, and only the domain that created the local storage can access it (like cookies). Link to comment Share on other sites More sharing options...
AgentGray Posted May 12, 2010 Share Posted May 12, 2010 Wow... he found a term that sounds scary "SQL INjection attack!" and knows mothers will read that as "OH NO THAT THING THAT ONETIME STOLE SOME CREDIT CARDS! MY COMPUTER AT RISK!" ... nevermind that "client side storage" and "SQL Database" aren't....the same thing Link to comment Share on other sites More sharing options...
ilev Posted May 12, 2010 Author Share Posted May 12, 2010 nevermind that "client side storage" and "SQL Database" aren't....the same thing You better do some research. In this case they are. It the same as the SQL DB in Firefox on clients machines Chrome 4 Now Supports the HTML 5 Web SQL Database API : http://www.infoq.com/news/2010/02/Web-SQL-Database As part of HTML 5, the W3C organization is working on a draft of the Web SQL Database API, a specification which covers storing and accessing data through SQL. The SQL language dialect which is described in the documentation is that of SQLite 3.6.19. This API allows web pages to contain code that interacts with an embedded client database, which is useful for applications wanting to store data locally or for offline browsing. Link to comment Share on other sites More sharing options...
AgentGray Posted May 12, 2010 Share Posted May 12, 2010 ah... my mistake then. That is potentially a problem as your database will only be as secure as the worst web app >> Link to comment Share on other sites More sharing options...
Recommended Posts