Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
  1. Weekly Tips

Week 25 - Pilfering LocalStorage with XSS

PreviousWeek 24 - CSP BypassesNextWeek 26 - Cloud SSRF

Last updated 2 years ago

Using XSS to Steal JWT's from LocalStorage

Have you ever found a Cross-Site Scripting vulnerability and attempted to read 'document.cookie', only to see no valuable session-related data?

Well did you know you can also dump LocalStorage with JavaScript:

alert(JSON.stringify(localStorage))

Welcome to week 25 of the web hacking series! The main difference between LocalStorage and Cookies is that LocalStorage is meant for Client-side (ajax) interactions, while Cookies are meant to be used by the server. Often in penetration tests, sensitive session-related data (such as JSON Web Tokens) can be found in LocalStorage.

To exfiltrate data from LocalStorage, you can use the following XSS payload:

Then just setup a listener on your attacker server to receive the incoming data. If you want an additional tip related to this payload, decode the following JWT 😉

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkkgYWx3YXlzIHJlY29tbWVuZCB1c2luZyBkb21haW5zIHdoZW4gZXhmaWx0cmF0aW5nIGRhdGEsIHNpbmNlIG1hbnkgbW9kZXJuIGFwcGxpY2F0aW9ucyBhbmQgZGV0ZWN0aW9uIHN5c3RlbXMgZG9uJ3QgcGxheSB3ZWxsIHdpdGggSVAncyIsImlhdCI6MTUxNjIzOTAyMn0.3s_Uh0cS9jBY_JmRvJ3iP7LMh_bEJDPbfHtNXBbFC_I

All this considered, as a developer you might be thinking where the heck do I store my JWT’s? It’s recommended to store them within a Cookie marked as ‘HttpOnly’ and ‘SameSite’, that way they're inaccessible to JavaScript and CSRF vulns.

Page cover image