Week 25 - Pilfering LocalStorage with XSS
Last updated
Last updated
Have you ever found a Cross-Site Scripting vulnerability and attempted to read 'document.cookie', only to see no valuable session-related data?
Well did you know you can also dump LocalStorage with JavaScript:
alert(JSON.stringify(localStorage))
Welcome to week 25 of the web hacking series! The main difference between LocalStorage and Cookies is that LocalStorage is meant for Client-side (ajax) interactions, while Cookies are meant to be used by the server. Often in penetration tests, sensitive session-related data (such as JSON Web Tokens) can be found in LocalStorage.
To exfiltrate data from LocalStorage, you can use the following XSS payload:
Then just setup a listener on your attacker server to receive the incoming data. If you want an additional tip related to this payload, decode the following JWT 😉
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkkgYWx3YXlzIHJlY29tbWVuZCB1c2luZyBkb21haW5zIHdoZW4gZXhmaWx0cmF0aW5nIGRhdGEsIHNpbmNlIG1hbnkgbW9kZXJuIGFwcGxpY2F0aW9ucyBhbmQgZGV0ZWN0aW9uIHN5c3RlbXMgZG9uJ3QgcGxheSB3ZWxsIHdpdGggSVAncyIsImlhdCI6MTUxNjIzOTAyMn0.3s_Uh0cS9jBY_JmRvJ3iP7LMh_bEJDPbfHtNXBbFC_I
All this considered, as a developer you might be thinking where the heck do I store my JWT’s? It’s recommended to store them within a Cookie marked as ‘HttpOnly’ and ‘SameSite’, that way they're inaccessible to JavaScript and CSRF vulns.