- "These capabilities are frequently used for caching of markup or script code fragments". e.g., in scenarios with specific bandwidth or responsiveness requirements.
- "While this API can be used for client-side state management, it is also often used for caching[17] (See Section IV for more details). Especially, in mobile environments where bandwidth and latency matters Web-Storage-based caching can be a powerful technique to decrease loading times by saving and reusing frequently required scripts or style declarations on the mobile device[17]."
- "However, caching such content in a storage that is accessible via scripting is a dangerous practice as it creates new attack vectors for adversaries. The cause of the problem is the fact that at one point in time, code written to the storage has to be executed again. Hence, if an attacker is able to exchange the cached code with his payload, the application automatically runs the malicious content". Well-known cross-site scripting defense techniques such as input validation or output encoding are not applicable in this scenario
- "In this paper we first investigate the usage of Web Storage with regards to code caching by investigating front pages the of the Alexa top 500.000 Web sites. Thereby, we found out that 20,422 Web sites make use of client-side storage and that 386 Web sites store 2084 pieces of HTML, Javascript code or CSS style declarations within Local- or SessionStorage.
"
- "Therefore, an attacker is not able to inject his payload into client-side storage capabilities and thus attacks are rendered void."
- Each of these storage types implements the same API and adheres to the same security restrictions. The underlying storage mechanism is implemented via a key-value scheme that allows to store, retrieve and delete a String value based on a certain key
- "Up to now, two usage patterns forWeb storage have received some attention: Keeping state in offline situations and using Web storage for caching purposes."
- "Modern browsers allow Web applications to provide offline capabilities. For this, the application can explicitly specify which of its Web resources should be kept in the browser’s application cache [2]. This is done using a dedicated manifest file that lists the URLs of to be stored resources. In situations, in which the Web browser is disconnected form the network, these files, which were stored earlier, are loaded and rendered from the appcache"
- "some applications use Web storage for caching Web page components, such as HTML fragments, CSS styles, or Javascripts, which are meant to be included verbatim into the Web page after retrieval from storage"
- "By inserting JavaScript code into one of the site’s code fragments which are kept in Web storage, the attacker can ensure, that his malicious payload is executed every time the victim accesses the Web application with his browser, potentially for an unlimited amount time"
- "On the investigated 500,000 Web sites we recorded more than 122,615 calls (by 20,421 Web sites) to Web Storage directives"