Web app storage open to attack
(Computer News Middle East Via Acquire Media NewsEdge) New forms of off-line client-side storage, such as those specified by the emerging HTML 5 set of standards, could open entirely new kinds of attacks to Web application users, according to Michael Sutton, VP of security research for cloud security firm ZScaler.
"As sites start to adopt Google Gears and HTML 5, this whole concept of stealing data from client-side relational databases will become a much, much bigger issue," said Sutton, speaking Sunday at the SchmooCon hacker conference in Washington. "In my opinion [they are] a lot easier to attack."
??As ever more applications are being developed that run entirely over the Web, a number of new technologies have been introduced to put small relational databases on users' machines. A database on the client machine can store user data, allowing applications to be used while not on the Internet. While such off-line storage extends the flexibility of Web applications, it also opens up an entirely new type of vulnerability for users, one that allows snoopers to copy and change the content of these databases, Sutton said.
??Just as malicious hackers have harvested data from server-side databases using techniques such as SQL injection, so too could they target client-side databases, using similar methods. In fact, accessing the client database would be easier in many ways. Normally with SQL injection, the attacker will not know the database structure beforehand -- the names of the tables and columns and datatypes. All that must be sussed out through multiple guesses. In contrast, someone wishing to fish through the database supplied by a social-networking service could simply download an identical copy of the database from that service, which would reveal the database structure. The attacker could then query the tables to retrieve information. ??"It really is easier from the attack perspective," Sutton said.
Also, server-side SQL injection attacks rely on Web sites that do not filter malformed SQL requests coming from users. An attacker can send malicious commands to the database engine, using an input box of some sort on a Web page. Only without a filter in place will the command be executed on the database engine. On the client side, no such elaborate technique is needed. "I don't need a vulnerability in the way a traditional SQL injection would work," Sutton said. Instead, the attacker can just issue standard SQL queries to gather information.
What sort of information will be found on client-side databases? Pretty much anything, Sutton noted. Google itself uses Gears for services such as Gmail and Google Voice. A scan of the corresponding local databases used for those services turned up for Sutton items such as the e-mail headers in Gmail and contact information in the Google Voice database.??Although now still largely theoretical, such attacks may prove to be a significant problem in the years to come. "This isn't a passive sniffing, this is active. I don't have to wait for the information that I care about, I can actually query the database," Sutton said.
(c) 2008 IDG Middle East. All rights reserved. Provided by Syndigate.info an Albawaba.com company
[ Back To TMCnet.com's Homepage ]