Archive for the Valnurability Category

Yet another SSL Vulnerability – FREAK!

Posted in Valnurability on March 4, 2015 by keizer
Yesterday, published in

Another new widespread and disastrous SSL/TLS vulnerability has been uncovered that for over a decade leftMillions of users of Apple and Android devices vulnerable to man-in-the-middle attacks on encrypted traffic when they visited supposedly ‘secured’ websites, including the official websites of the White House, FBI and National Security Agency.
Dubbed the FREAK” vulnerability (CVE-2015-0204) – also known as Factoring Attack on RSA-EXPORT Keys – enables hackers or intelligence agencies to force clients to use older, weaker encryption i.e. also known as the export-grade key or 512-bit RSA keys.
FREAK vulnerability discovered by security researchers of French Institute for Research in Computer Science and Automation (Inria) and Microsoft, resides in OpenSSL versions 1.01k and earlier, and Apple’s Secure Transport.

Back in 1990s, the US government attempted to regulate the export of products utilizing “strong” encryption and devices were loaded with weaker “export-grade” encryption before being shipped out of the country.
At that time, it was allowed a maximum key length of 512 bits for “export-grade” encryption. Later in 2000, with the modification of the US export laws, vendors were able to include 128-bit ciphers in their products and were able to distribute these all over the world.
The only problem is that “export-grade” cryptography support was never removed and now three decades later, FREAK vulnerability make it significantly easier for hackers to decode the website’s private key and decrypt passwords, login cookies, and other sensitive information from HTTPS connections.

Assistant Research Professor Matthew Green of Johns Hopkins University’s Information Security Institute in Maryland summarizes the FREAK vulnerability in a blog post detailing how a hacker could perform MitM attack:
  • In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
  • The MITM attacker changes this message to ask for ‘export RSA’.
  • The server responds with a 512-bit export RSA key, signed with its long-term key.
  • The client accepts this weak key due to the OpenSSL/Secure Transport bug.
  • The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
  • When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
  • From here on out, the attacker sees plain text and can inject anything it wants.


A scan of more than 14 million websites that support the SSL/TLS protocols found that more than 36% of them were vulnerable to the decryption attacks that support RSA export cipher suites (e.g.,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA).

Cracking a 512-bit key back in the ’90s would have required access to supercomputers of that time, but today, it can be done in seven hours and cost nearly $100 per website only.
It is possible to carry out FREAK vulnerability attack when a user running a vulnerable device — currently includes Android smartphones, iPhones and Macs running Apple’s OS X operating system — connects to a vulnerable HTTPS-protected website. At the moment, Windows and Linux end-user devices were not believed to be affected.

FREAK vulnerability is similar to last year’s POODLE flaw or Padding Oracle On Downgraded Legacy Encryption, which allowed hackers to downgrade the entire SSL/TLS Internet-communication security suite to the weakest possible version. FREAK affects only those SSL/TLS implementations that accept export versions of protocols that use the RSA encryption algorithm.
Security researchers are maintaining a list of top vulnerable websites and encourage web server administrators to disable support for export suites, including all known insecure ciphers, and enable forward secrecy.

Google said an Android patch has already been distributed to partners. Meanwhile, Google is also calling on all websites to disable support for export certificates.
Apple also responded to the FREAK vulnerability and released a statement that, “We have a fix in iOS and OS X that will be available in software updates next week.”

…and the Oscar for Worst-OS, goes to…

Posted in Valnurability on February 24, 2015 by keizer

Last week, published by Cristian Florian from

An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD). The NVD provides a comprehensive list of software security vulnerabilities. In this article, I look at some of the trends and key findings for 2014 based on the NVD’s database.

Some of the questions asked are:

– What are the latest vulnerability trends? Are we seeing an increase or a decrease in the number of vulnerabilities?

– What percentage of these vulnerabilities are rated as critical? (e.g. high security impact – like allowing remote code execution – and thus easy to exploit)

– In which areas do we see the most vulnerabilities? Are operating systems, third-party applications or network devices such as routers, switches, access points or printers most at risk?

– Which operating systems and applications are listed with most vulnerabilities? This data is important because the products which are on top get the most frequent security updates. To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched.

7,038 new security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.


24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year.


Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.


Top operating systems by vulnerabilities reported in 2014


It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple with OS X and iOS is at the top, followed by Linux kernel.

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

Top applications by vulnerabilities reported in 2014


The applications listed here are pretty much the same as in 2013. Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

iPhone just snapshotted your credit card number

Posted in Exploits, Mobile, Valnurability with tags , on December 28, 2014 by keizer

Having a page where users insert their credit card numbers? a page containing sensitive data such as personal or business information? you should be aware of the fact that when the user presses the iphone’s home button, and your application performs backgrounding, iOS takes a snapshot of the current page and stores it insecurely on the device. Why? to create an “animation” when the application shrinks into the background and when selected, expands back to your screen. If the last page contained sensitive information, this information could be stolen. Violation of the user’s privacy and business information leakage are just two of the security impacts it may cause.

This is how its done:
1. The user launches your app, and goes to a page containing sensitive information.
2. The user receives a call, or decided himself to press the home button, and send your app into the background.
3. iOS takes a snapshot of the last pages, for animation… this is how it looks:

stage1 stage2 stage3

Now, lets take a look at the application folder on the device. We’ll go to:
{YOUR_APP_UUID}/Library/Caches/Snapshots/ and there we can see the file:
UIApplicationAutomaticSnapshotDefault-Portrait@2x.png. Opening it, will reveal all the data that appeared on the last page visited in our app, before going into background.

What can we do about it?

Well… I’m glad you asked! There are a few ways to deal with this issue. Here,I will explain four of them:

1. Creating an iOS 7 blur effect

iOS 7 gives every UIView methods to provide Capturing a View Snapshot.

The method drawViewHierarchyInRect:afterScreenUpdates: provides nearly the same as it’s CALayer predecessor renderInContext:, but this one captures the actual onscreen content.

// Snapshot scene into a UIImage.
[self drawViewHierarchyInRect:snapshotBounds afterScreenUpdates:YES];
UIImage *snapshotImage = UIGraphicsGetImageFromCurrentImageContext();

* You can specify a smaller bounding rectangle for the snapshot to gain performance. A blurred image actually don’t have to be at full resolution, since users can hardly perceive the difference.

Apply blur to an image can be done several ways, like using CIFilter, or some iOS Stack blur implementation. Here I will demonstrate using an  API called GPUImageiOSBlurFilter.

Now, all we have to do is:

// Create filter.
self.blurFilter = [GPUImageiOSBlurFilter new];
// Apply filter.
UIImage *blurredSnapshotImage = [self.blurFilter imageByFilteringImage:snapshotImage];

The following image, is a PoC of a blurred snapshot:


2. Mark sensitive fields as hidden

The iOS Application Programming Guide states “When your applicationDidEnterBackground: method returns, the system takes a picture of your app’s user interface and uses the resulting image for transition animations. If any views in your interface contain sensitive information, you should hide or modify those views before theapplicationDidEnterBackground: method returns.”

Simple as it sounds, just mark the sensitive fields as hidden in the delegate:

- (void)applicationDidEnterBackground:(UIApplication *)application {
viewController.accountNumber.hidden = YES;
viewController.username.hidden = YES;
viewController.SSN.hidden = YES;
viewController.password.hidden = YES;

Adding this code to the delegate results in the screenshot being taken without the sensitive parameters (e.g. the credit card number field):


hidden fields

3. Use an overlay image

Overlay an image as the application enters the background state. The overlaid image will “mask” the current screen, thus covering any sensitive information which may be on screen. Below is sample code:

@property (UIImageView *)backgroundImage;
- (void)applicationDidEnterBackground:(UIApplication *)application {
UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"];
self.backgroundImage = myBanner;
[self.window addSubview:myBanner];

Choose a background that will be saved on top of the original snapshot. You can use the general theme of your application. For example:

4. Prevent Backgrounding

You can also prevent backgrounding completely, instead of trying to hide the sensitive data. To do so, set the “Application does not run in background” property in the application’s Info.plist file. This will add theUIApplicationExitsOnSuspend key to the plist. After setting this property, every time the application tries to go into backgrouding, the inapplicationWillTerminate: is being called and prevents the screenshot from being taken at all.





Sensitive data, such as Personal Information, Financial or business data, and more can be saved when an app moves to the background without the user’s knowledge.  If a malicious application is installed on the same device, or if someone gets a hold of the device, even just for few minutes, This sensitive information could be easily stolen. This snapshot will remain there until a new snapshot of the same application will be taken! This is a series security issue and it needs to be mitigated by the developers. I’ve seen different apps using different solutions… just pick one of the methods I stated above and protect your users.


Improve your Web Application Security in a Jiff

Posted in Valnurability on September 13, 2014 by keizer


The following are a list of HTTP headers that will help you secure your web application in no-time:

The ‘X-Content-Type-Options’ HTTP header if set to ‘nosniff’ stops the browser from guessing the MIME type of a file via content sniffing. Without this option set there is a potential increased risk of cross-site scripting.
Secure configuration: Server returns the ‘X-Content-Type-Options’ HTTP header set to ‘nosniff’.



The ‘X-XSS-Protection’ HTTP header is used by Internet Explorer version 8 and higher. Setting this HTTP header will instruct Internet Explorer to enable its inbuilt anti-cross-site scripting filter. If enabled, but without ‘mode=block’ then there is an increased risk that otherwise non exploitable cross-site scripting vulnerabilities may potentially become exploitable.
Secure configuration: Server returns the ‘X-XSS-Protection’ HTTP header set to ‘1; mode=block’.



The ‘X-Frame-Options’ HTTP header can be used to indicate whether or not a browser should be allowed to render a page within a <frame> or <iframe>. The valid options are DENY, to deny allowing the page to exist in a frame or SAMEORIGIN to allow framing but only from the originating host. Without this option set the site is at a higher risk of click-jacking unless application level mitigations exist.
Secure configuration: Server returns the ‘X-Frame-Options’ HTTP header set to ‘DENY’ or ‘SAMEORIGIN’.



The ‘Cache-Control’ response header controls how pages can be cached either by proxies or the user’s browser. Using this response header can provide enhanced privacy by not caching sensitive pages in the users local cache at the potential cost of performance. To stop pages from being cached the server sets a cache control by returning the ‘Cache-Control’ HTTP header set to ‘no-store’.

Secure configuration: Either the server sets a cache control by returning the ‘Cache-Control’ HTTP header set to ‘no-store, no-cache’ or each page sets their own via the ‘meta’ tag for secure connections.

Updated: The above was updated after our friend Mark got in-touch. Originally we had saidno-store was sufficient. But as with all things web related it appears Internet Explorer and Firefox work slightly differently (so everyone ensure you thank Mark!).



The ‘X-Content-Security-Policy’ response header is a powerful mechanism for controlling which sites certain content types can be loaded from. Using this response header can provide defence in depth from content injection attacks. However it’s not for the faint hearted in our opinion.
Secure configuration: Either the server sets a content security policy by returning the ‘X-Content-Security-Policy’ HTTP header or each page sets their own via the ‘meta’ tag



The ‘HTTP Strict Transport Security’ (Strict-Transport-Security) HTTP header is used to control if the browser is allowed to only access a site over a secure connection and how long to remember the server response for thus forcing continued usage.
Note: This is a draft standard which only Firefox and Chrome support. But it is supported by sites such as PayPal. This header can only be set and honoured by web browsers over a trusted secure connection.

Secure configuration: Return the ‘Strict-Transport-Security’ header with an appropriate timeout over an secure connection.



The ‘Access Control Allow Origin’ HTTP header is used to control which sites are allowed to bypass same origin policies and send cross-origin requests. This allows cross origin access without web application developers having to write mini proxies into their apps.
Note: This is a draft standard which only Firefox and Chrome support, it is also advocarted by sites such as
Secure configuration: Either do not set or return the ‘Access-Control-Allow-Origin’ header restricting it to only a trusted set of sites.

All Internet Explorer are Vulnerable

Posted in Valnurability on April 28, 2014 by keizer


FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. The acknowledgment from Microsoft was no late to come. They has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

Threat actors are actively using this exploit in an ongoing campaign which they have named “Operation Clandestine Fox.” It is recommend to apply a patch once available.


According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:
IE 9 13.9%
IE 10 11.04%
IE 11 1.32%

Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.


The Details

The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.


• Preparing the heap

The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.

• Arbitrary memory access

The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.

• Runtime ROP generation

With full memory control, the exploit will search for ZwProtectVirtualMemory, and a stack pivot (opcode 0×94 0xc3) from NTDLL. It also searches for SetThreadContext in kernel32, which is used to clear the debug registers. This technique, documented here, may be an attempt to bypass protections that use hardware breakpoints, such as EMET’s EAF mitigation.

With the addresses of the aforementioned APIs and gadget, the SWF file constructs a ROP chain, and prepends it to its RC4 decrypted shellcode. It then replaces the vftable of a sound object with a fake one that points to the newly created ROP payload. When the sound object attempts to call into its vftable, it instead pivots control to the attacker’s ROP chain.

• ROP and Shellcode

The ROP payload basically tries to make memory at 0×18184000 executable, and to return to 0x1818411c to execute the shellcode.

0:008> dds eax
18184100 770b5f58 ntdll!ZwProtectVirtualMemory
18184104 1818411c
18184108 ffffffff
1818410c 181840e8
18184110 181840ec
18184114 00000040
18184118 181840e4

Inside the shellcode, it saves the current stack pointer to 0×18181800 to safely return to the caller.

mov dword ptr ds:[18181800h],ebp
Then, it restores the flash.Media.Sound vftable and repairs the corrupted vector object to avoid application crashes.

18184123 b820609f06 mov eax,69F6020h
18184128 90 nop
18184129 90 nop
1818412a c700c0f22169 mov dword ptr [eax],offset Flash32_11_7_700_261!AdobeCPGetAPI+0x42ac00 (6921f2c0)
18184133 b800401818 mov eax,18184000h
18184138 90 nop
18184139 90 nop
1818413a c700fe030000 mov dword ptr [eax],3FEh ds:0023:18184000=3ffffff0

The shellcode also recovers the ESP register to make sure the stack range is in the current thread stack base/limit.

18184140 8be5 mov esp,ebp
18184142 83ec2c sub esp,2Ch
18184145 90 nop
18184146 eb2c jmp 18184174

The shellcode calls SetThreadContext to clear the debug registers. It is possible that this is an attempt to bypass mitigations that use the debug registers.

18184174 57 push edi
18184175 81ece0050000 sub esp,5E0h
1818417b c7042410000100 mov dword ptr [esp],10010h
18184182 8d7c2404 lea edi,[esp+4]
18184186 b9dc050000 mov ecx,5DCh
1818418b 33c0 xor eax,eax
1818418d f3aa rep stos byte ptr es:[edi]
1818418f 54 push esp
18184190 6afe push 0FFFFFFFEh
18184192 b8b308b476 mov eax,offset kernel32!SetThreadContext (76b408b3)
18184197 ffd0 call eax

The shellcode calls URLDownloadToCacheFileA to download the next stage of the payload, disguised as an image.


Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

Acknowledgement: Thankses goes to Christopher Glyer, Matt Fowler, Josh Homan, Ned Moran, Nart Villeneuve and Yichong Lin, Xiaobo Chen, Dan Caselden and Mike Scott from FireEye.

My HEARTBLEEDs for you

Posted in Valnurability on April 9, 2014 by keizer

imageedit_1_8145715273The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).


The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.


The fix from was not late to be released and specified: “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

The official bug was assgined under CVE-2014-0160. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is being leaked?

Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug you can classify the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

What is leaked protected content and how to recover?

This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked collateral and how to recover?

Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

Are YOU affected by the bug?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

You can also test your site with the Hearbleed test:

ScreenShot001(Click to Enlarge)


How can OpenSSL be fixed?

Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so latest fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.


For more informatio go to:


Resident XSS (Rootkits in your Web application)

Posted in Valnurability on January 11, 2014 by keizer

The new HTML5 was brought the internet community with a whole bunch of new features, to help us create a more dynamic and smooth client side, whether for the mobile apps or to a browser based client. Among its new feature you can find: CSS3, Drag&Drop, localStorage & sessionStorage, Streaming, Geolocation, Webworks and whatnot.

Wait! (imagine you hear the rewind sound): local & session Storage? does that mean that I can store data on the client? -Yes!
Well, it sounds like a great feature isn’t it? they all are… but are they safe? – A big fat No!

But lets concentrate in the session & local storage, shall we? What if someone store things for me? evil things… it means that my own browser will betray me and hold malicious data that could harm me! how does that work?

Lets say that the  site you are using stores some of your account details into your local & session storage, so later on it could read information from your client, sparing it to send requests to the server.

In this scenario, our website stores your account#, the SessionId, your username and some other string that will be displayed on the screen when you enter the website (sounds like… exactly!).

Our website, takes the data it previously entered to the storage and displays it when the page renders. This is how the page looks normally, along with the original information stored in the sessionStorage:

residentXSS_before(Click on the image to enlarge)


Notice that the message withing the speech bubble takes its information from the Session Storage, as can be seen in the above image, right below the page. You can access the page’s Resources tab using Chrome’s Developer tools (a.k.a Inspect Element). We can assume that the code behind it looks something like this:

var username = window.sessionStorage.getItem(“User”);
var speech = window.sessionStorage.getItem(“Speach-of-the-day”);
var action = window.sessionStorage.getItem(“Random-action”);

and calling them using:

<h1> <script>document.write(“Hello ” + username); </script> </h1>
<h3> <script>document.write(speech);</script> </h3>
<a href=”#”> <script>document.write(action);</script> </a>

Now, what if this website is vulnerable to a Reflected XSS? in that case the XSS would be active once, on the response that includes it. But what if! this website uses the client side storage to display information?

— If the attacker injected some malicious content to our sessionStorage and the website does not perform client-side encoding/ escaping (wait… client-side? yes!) then the XSS would take residence (thus, the name) inside our browser, just waiting to be called by the client.

Its also very simple to do so, all the attacker needs to know is the name of the key within the storage and then change it simply using: sessionStorage.setItem(key);

So, let go back to the example. The attacker managed to implement a code inside our sessionStorage using regular XSS. Then it will look like this:

residentXSS_after(Click on the image to enlarge)


Notice that the Speech-of-the-day key has changed, and it now contains a script. The next time (and everytime after that) the page refreshes, the XSS will be executed:

residentXSS_alert(Click on the image to enlarge)


What can we do about it? — as I mentioned earlier, before reading content from the client-storage escape it! so when called, even if someone planted a malicious script – it won’t be executed:

residentXSS_escaping(Click on the image to enlarge)


With all the cool features HTML5 has brought to us, a lot of new security issues has been introduced. An important part of them involve data stored in the client, or taken from it. Since the client should never be trusted, all the data in it, no matter if we stored it or not –  should be mitigated, and we should take any precautions possible when dealing with it.