globalStorage, how it could become a problem.
With Javascript 1.7 being implemented in Firefox 2.0, new features are now available to developers. One of these features is session and persistent data storage on the client side using the new DOM Storage API. We have the ability to store session data, or persistent data, which is really cool from a developers point of few, something I will be making use of, and already have put to use in a project.
Now comes the problem for remotely hosted forum services like ProBoards / InvisionFree / insert other here. When you sign up for a forum, you are given a sub domain name like http://username.server.com or http://server.domain.com/user/. So for example if you register a ProBoards forum, you will get something like http://username.proboardsXX.com where XX is the server number. One server could have thousands of forums.
Throughout this I will be using ProBoards as an example, but the same problem exists for other hosting services most likely.
Now, when you set a session variable, it can only be accessed on the forum it is set, which is a good thing, so no danger there. But if we use the persistent API (global storage), we can set the global storage domain to the server (i.e proboards17.com), we can then store any information we want, good thing about this is we can store information and recall it next time the user visits, and this includes closing the browser, as the data is persistent. Cool right? Nope, not really, let me explain…
Lets say I have a forum on server 77, and someone is using a hack of mine from the database (Javascript code that gets placed in the header or footer), and they are also on server 77. The hack doesn’t even need to be in a remote JS file, it can just be a simple “Total visits to this forum” counter for the member, they wouldn’t know what the code really does, because what it would be doing, is storing the username and password in the storage object. Now let’s say that user visits my forum (also on server 77), I then have easy access to record that users username and password from the forum the hack was being used at, I could then send that data to a database to record it.
Isn’t a great deal that can be done to prevent it. Maybe there should be a global flag that can be only used once in the document, this flag could be set to 0 or 1 (false / true) and would be set in the head tag, as most hosting services only allow code inputting inside the body tag. So the flag would not be changeable else where in the document, thus preventing attacks.
Your thoughts?
8 Comments to globalStorage, how it could become a problem.
Leave a comment
What Am I Doing?
- Installed W@W 1.02 patch, should now be able to play with American friends, let the desync commence
- Just finished playing World at War, can now connect to people. Spawning is really bad, a very high chance of being shot in the back.
- Still can't connect to anyone on World at War multiplayer, but people can connect to me, very annoying.
- Finished Call of Duty World at War single player, felt shorter than Modern Warfare. Now I can play Zombie mode.
- Played Call of Duty World at War, at the moment I'm not keen on it, WWII doesn't do it for me. I'll keep playing, might start to like it.
- Yay, I got news that Call of Duty World at War has been delivered from Game.
- Just finished playing Call of Duty 4, which could be the last time, as W@W should arrive tomorrow.
- At work
- Played some CoD4 before work, my team was really bad
- Downloading Ubuntu, Vista is horrible to develope on
- On my way home through the lovely rain on my bike
- Completed Far Cry 2 at the weekend
- Installed Twinkle app on touch, awesome for a free app
- Setting up Twitter on my Ipod Touch
Search
Categories
- Browsers (14)
- Gaming (19)
- General (103)
- ProBoards (12)
- Programming (97)
- Adobe AIR (18)
- JavaScript (37)
- pDBB (8)
- PHP / MySQL (9)
- PHP-GTK (4)
- Videos (16)
- Work (4)
Recent Comments
Tags
2032 actionscript adobe africa alive air airpacker browser cod COD4 css dean edwards ds easing eric schmidt error explorer ext facebook file Firefox flickr Gaming google htaccess ie input internet JavaScript mime nintendo packer penner perl pleasurewood hills poignant PS3 robert ruby safari scrollovers testing theme park wii wordpress xboxArchives
- October 2008 (6)
- September 2008 (3)
- August 2008 (2)
- June 2008 (4)
- May 2008 (2)
- April 2008 (1)
- March 2008 (5)
- February 2008 (3)
- January 2008 (1)
- December 2007 (3)
- November 2007 (6)
- October 2007 (5)
- September 2007 (13)
- August 2007 (7)
- July 2007 (5)
- June 2007 (9)
- May 2007 (17)
- April 2007 (10)
- March 2007 (19)
- February 2007 (27)
- January 2007 (19)
- December 2006 (4)
- November 2006 (4)
- October 2006 (15)
- September 2006 (14)
- August 2006 (12)
- July 2006 (9)
- June 2006 (12)
Surely Firefox could do something like
Some of your message get cut off?
Poor James, losing his messae.
That would be problematic, but why in the heck would you need to store the password? I can understand the username to make sure it’s the same user, or they have multiple people use the same computer, but why the password? (Just out of curiosity. I’m pretty sure you’re talking in theoretical sense.)
Other then that, the storage could be pretty cool. I won’t use it until IE makes one similar to it… then I’ll just make an object to save time in my codes.
Am not understand what you mean Chris.
The globalStorage object would allow me to collect user information. If I want to gain access to the account I need to record the password. It would be an XSS attack.
For example…
Say someone used my code on their forum, and the server # was 88. I have a forum on 88 as well, so when they visit the forum using the code, the globalStorage object saves the credentials, and when that member visits my forum, I can check to see if username and password exists in the globalStorage object and then record them to a database.
IE supports persistent data, have done since IE 5.5 I think.
At PB, couldn’t you save pb_username? Or am I misunderstanding the information it saves….?
If I wanted to collect the members credentials, then I would just storage the pb_username and then get the password from the cookie, or just get both from the cookie. I could just send the whole cookie to the object to be stored. Either way, you can store what you like in it.
Grr.
My message basically went along the lines of… i’m sure they could implement the same style security settings (subdomain only) as cookies, or have a locality=’subdomain’ /> included in the sess storage facility.
And if this gets cut off i’m going to be annoyed =)
You would think they would have done something like that. Ah well, it’s a cool feature, people will just need to be careful with what codes they use. As soon as I see any at ProBoards get submitted, then I shall put up a message to warn people.
I don’t want to ban them completely, as some useful stuff can be done with it. I recently wrote a script to save persistent data for Firefox 2 and IE for something me and E are working on