HTML5 has come up with several APIs and one of them is File
System API (http://www.w3.org/TR/file-system-api/).
Browsers are implementing it and it is covering both directories and files
under this API. Hence, now web application can create a mini file system and
dump files inside the browser. These files can be accessed at any point in time
by the browser with the same domain context. These files can be permanent or
temporary. The browser is acting like a mini OS and exposing the surface. If
XSS is found it is easy to extract full file system created by the application.
For example, if an application has created a token file on the
file system using the API. We can see files by following URI on chrome.
In above figure we can see files are being created in the
browser. Now assuming XSS is found, it is easy to exploit by hooking into the
file system and extracting the content. Following code can be part of the
access routine.
Bottom-line, lot is getting added to HTML5 and strong
JavaScript analysis and look around would be needed from security professional.
Looks like developer community is still playing around with these APIs but the
days are not far where we will start seeing these types of application in
production and landing for review at the door steps.