[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] When standards attack...



The WebKit folks just added client-side SQL database support:
 
http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/
http://glazkov.com/blog/html5-gears-wrapper/

In addition to all of the existing attacks through a web browser, we can 
now take into account SQLite vulnerabilities and client-side SQL 
injection issues as well.

>From the security section of the specification:
http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql

"""
[ 4.11.8.1. User agents ]

User agent implementors are strongly encouraged to audit all their 
supported SQL statements for security implications. For example, LOAD 
DATA INFILE is likely to pose security risks and there is little reason 
to support it.

In general, it is recommended that user agents not support features that 
control how databases are stored on disk. For example, there is little 
reason to allow Web authors to control the character encoding used in the 
disk representation of the data, as all data in ECMAScript is implicitly 
UTF-16.

[ 4.11.8.2. SQL injection ]
Authors are strongly recommended to make use of the ? placeholder feature 
of the executeSql() method, and to never construct SQL statements on the 
fly. 
"""

...because letting developers choose to bind their query parameters has 
worked so well before ;-)

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/