XSSQL attack (HTML5)

HTML 5 brings a lot of new features to the web. One of its features is SQLite – a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.

It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store there sensitive information such us user passwords, session ids, credit card numbers etc.

In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack – XSSQL :-) funny as well as concerning …

Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.

See more details at http://yossi-yakubov.blogspot.com/2011/07/html-5-xssql.html

Share