File System API with HTML5 – Juice for XSS


HTML5 has come up with several APIs and one of them is File System API (http://www.w3.org/TR/file-system-api/). Browsers are implementing it and it is covering both directories and files under this API. Hence, now web application can create a mini file system and dump files inside the browser. These files can be accessed at any point in time by the browser with the same domain context. These files can be permanent or temporary. The browser is acting like a mini OS and exposing the surface. If XSS is found it is easy to extract full file system created by the application.

For example, if an application has created a token file on the file system using the API. We can see files by following URI on chrome.













In above figure we can see files are being created in the browser. Now assuming XSS is found, it is easy to exploit by hooking into the file system and extracting the content. Following code can be part of the access routine.
























Bottom-line, lot is getting added to HTML5 and strong JavaScript analysis and look around would be needed from security professional. Looks like developer community is still playing around with these APIs but the days are not far where we will start seeing these types of application in production and landing for review at the door steps. 

[Blackhat 2012] HTML5 Top 10 Threats Stealth Attacks and Silent Exploits

BlackHat 2012 was really fun and lots of interesting talks. I presented paper on HTML5 Top 10 Threats and Security. You can find slides and paper over here.