Security in Offline Web Applications

Abstract

Offline Web applications are increasingly popular. The possibility to have both the advantages of Web applications and traditional desktop applications is exiting. An offline Web application can be accessed from all computers, with any operating system, as well as offering to store information locally, giving the user the opportunity to use the application when the user does not have Internet access. The concept of offline Web applications is tempting, but it is important to integrate security in the process of making them. The users rely on a high level of security. In this thesis I have looked specifically on how the persistent client-side storage needed for offline storage for the offline Web application can be compromised due to security vulnerabilities on the Web server. I have performed a literature review to gather information on the topic of security in offline Web applications, and it was found that there has not been much previous research in this area. Two technologies for realization of offline Web applications were reviewed: HTML5 and Google Gears. Following, a Web server was set up, and two test applications with offline capabilities, representing the two chosen technologies, were put on the Web server. A set of security tests were performed on these test applications to reveal possible vulnerabilities in having persistent client-side storage. The results of the security testing demonstrate the consequences of having security weaknesses in Web servers hosting offline Web applications. If there is one cross-site scripting vulnerability on the Web server, an attacker can attack the persistent client-side storage: steal, change, delete or add information related to the offline Web application. Some thoughts on possible consequences of attacks on the hosting Web server are also given. A comparison between Google Gears and HTML5 was performed, and it was found that some of the design choices in Google Gears help provide a higher level of security in offline Web applications. Some strategies for testing the security of offline Web applications are suggested, focused on cross-site scripting vulnerabilities. The work in this thesis underlines the importance of including security in the process of developing and deploying offline Web applications. It shows the large consequences that can result from small security vulnerabilities present in the hosting Web server. Introductorily, the advantages of offline Web applications were discussed. The work presented here shows that the increasing use of offline Web applications relies on a high focus on security in order to keep the users' information safe.