DOM Storage: XSS 2.0

Publicated on : 1182622873
Mozilla Firefox has some very disturbing new features on board, I checked them out and did some test rounds with them. And to be honest: these features lay the blueprint for Javascript worms. It starts with simple reconnaissance techniques to see if a user is online or not, to full DOM storage which is capable of storing whatever we please. Some parts are even cross domain accessible. I am not sure what Mozilla is thinking here, but this is horrible for security. MSIE has a similar system, but Mozillas version beats all odds. I rather hoped they would back down a little more with all the features, and implement things like HTTPOnlyCookies more properly. Instead they are making it a jungle and a playground for XSS 2.0 and giving ground to real Javascript worm distribution. And I didn't even touch CSRF here. I'm really speechless...

Update: I added the functionalities in my new XSS c.q. worm attack API called: Red dragon which I'm working on. It is far from complete but here is a preview: reddragon.js

.mario send me these links also:
http://www.whatwg.org/specs/web-apps/current-work/#browser
http://www.whatwg.org/specs/web-apps/current-work/#storage
http://www.whatwg.org/specs/web-apps/current-work/#sql


Simply check if a user is online, could be usefull in Javascript worms:

if(navigator.onLine) {
alert('Yes user is online');
}

SessionStorage

This is a global object (sessionStorage) that maintains a storage area that's available for the duration of the page session. A page session lasts for as long as the browser is open and survives over page reloads and restores. Opening a page in a new tab or window will cause a new session to be initiated.

Save data to a the current session's store
sessionStorage.username = "John";

Access some stored data
alert( "username = " + sessionStorage.username );

Persistent data
Persistent data storage allows us to fetch the data we inserted into the DOM storage:

- On page refresh
- On a browser crash.

Starting in Firefox 2 but mainly in Firefox 3, the browser is fully capable of restoring this sessiondata after a crash. This is interesting because we could on purposely crash a window and inject sessiondata to make it an persistent denial of service, or just inject Anything we want for later use across pages. This could be used to store Javascript worms very effectively.

try {
var store_me = "Any value";
store_me = sessionStorage.autosave;
} catch(e) {
alert('Error storing data!');
}



Global storage, the worst.
it has the capability of globally store data, but also store data that can be accessed by other websites!


Domain only
globalStorage['0x000000.com'].xss = "<script>alert('XSS 2.0');</script>";

Any domain!
globalStorage[''].xss = "<script>alert('XSS 2.0');</script>"