# Week 25 - Pilfering LocalStorage with XSS ## Using XSS to Steal JWT's from LocalStorage Have you ever found a Cross-Site Scripting vulnerability and attempted to read 'document.cookie', only to see no valuable session-related data? Well did you know you can also dump LocalStorage with JavaScript: `alert(JSON.stringify(localStorage))` Welcome to week 25 of the web hacking series! The main difference between LocalStorage and Cookies is that LocalStorage is meant for Client-side (ajax) interactions, while Cookies are meant to be used by the server. Often in penetration tests, sensitive session-related data (such as JSON Web Tokens) can be found in LocalStorage. To exfiltrate data from LocalStorage, you can use the following XSS payload: Then just setup a listener on your attacker server to receive the incoming data. If you want an additional tip related to this payload, decode the following JWT 😉 `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkkgYWx3YXlzIHJlY29tbWVuZCB1c2luZyBkb21haW5zIHdoZW4gZXhmaWx0cmF0aW5nIGRhdGEsIHNpbmNlIG1hbnkgbW9kZXJuIGFwcGxpY2F0aW9ucyBhbmQgZGV0ZWN0aW9uIHN5c3RlbXMgZG9uJ3QgcGxheSB3ZWxsIHdpdGggSVAncyIsImlhdCI6MTUxNjIzOTAyMn0.3s_Uh0cS9jBY_JmRvJ3iP7LMh_bEJDPbfHtNXBbFC_I` All this considered, as a developer you might be thinking where the heck do I store my JWT’s? It’s recommended to store them within a Cookie marked as ‘HttpOnly’ and ‘SameSite’, that way they're inaccessible to JavaScript and CSRF vulns. ![](/files/r0FS5ZqkKet9K7G0rrHZ) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/weekly-tips/week-25-pilfering-localstorage-with-xss.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.