ABSTRACT

An easy-to-guess Web SQL database name can lead to data theft and database corruption by unauthorized parties.

EXPLANATION

One of the features of HTML5 is the ability to store data in a client-side SQL database. The main piece of information required to start writing to and reading from the database is its name. Therefore, it is crucial that the name of the database is a unique string that differs from user to user. If the name of the database is easy to guess, unauthorized parties, such as other users, might be able to steal sensitive data or corrupt the database entries.


Example: The following code uses an easy-to-guess database name:


...
var db = openDatabase('mydb', '1.0', 'Test DB', 2 * 1024 * 1024);
...


This code will run successfully, but anyone who can guess the database name to be 'mydb' will be able to accesses it.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage

[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3150.2 CAT II

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 330

[6] HTML5 Security Cheatsheet

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[8] Standards Mapping - FIPS200 - (FISMA) MP

[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 330

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.3, Requirement 6.5.8

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.3

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.8