Using software with an offline solution may be putting your data at risk! These are the risks of using an offline Web Application.

What is an “offline web application” and how do they work?

An offline web application can be accessed from any computer, and it offers to store information on the user’s local device, providing the user an opportunity to use the application when they do not have Internet access. Since the data for the application is stored on the user’s device, it can be compromised if there are security vulnerabilities within the application or on the web server. The two technologies that allow the implementation of offline capabilities are HTML5 and Google Gears. HTML5 and Google Gears are frameworks used to implement persistent storage for offline web applications. Google Gears utilized SQL databases on the user’s device which introduces the risk of client-side SQL injection.

Methods of storing data on the user’s device: Persistent vs Non-Persistent Client-Side Storage

Non-Persistent client-side storage means that the data is deleted from the user’s device as soon as the user closes the web browser. Persistent client-side storage means that data is stored more permanently. The data survives the web browser being closed and rebooting the computer. Persistent data is implemented with an expiration date that is used to remove the data from the client-side storage.

Web applications utilize different forms of storage for operating the application. These include GlobalStorage and SessionStorage. GlobalStorage allows Javascript to persistently store larger amounts of data on the client than HTTP cookies. GlobalStorage is shared by all browser windows in the same domain, regardless of the sub-domain. This is because the data is stored on the device. There is no way to automatically expire data stored in GlobalStorage, so it will never be removed from the client. As stated previously, Google Gears utilizes SQL databases to manage GlobalStorage and this leaves the application vulnerable to client-side SQL injection. SessionStorage is a non-persistent storage method. The stored data is removed once the web browser is closed.

Risks of using offline web applications / persistent client-side storage

Offline web applications are still a new technology, so there has been insufficient research on the security of offline web applications. Offline web applications can result in an insecure flow of information. This presents vulnerabilities such as cross-site scripting (XSS), and SQL injection. Cross-site scripting vulnerabilities on the web server can be used to extract information from the client-side storage. SQL injection can also be used to extract information from the client-side storage. Because the databases are stored on user’s device, the user could identify the database tables to extract specific data. This makes client-side SQL injection much easier than server-side SQL injection. If persistent client-side storage is not correctly implemented and managed, a denial-of-service attack is possible. The persistent data is stored on the user’s device and if the data is not implemented and managed correctly, the user’s hard drive can be filled with arbitrary data, leading to a denial of service of the device.

Source: Security in Offline Web Applications By Anja Svartberg. Norwegian University of Science and Technology.

Powered by Top Rated Local®