Playing a bit with localStorage



HTML5 is here and companies are starting to use it more and more to add value to their products. During the pentest we should be able to identify those new functionalities and their associated risks.

I was playing today a bit with some HTML5 apps and localStorage got my attention. This is a feature to store content locally on the browser for later use on the application and may contains sometimes sensitive information.

Although out there are plenty of apps and browsers’ extensions to check the content of these storage, we may be force to do a test where we don’t have access to such tools. I was looking for a “one line JavaScript” that can retrieve all the content stored locally for a given page, some kind of alert(document.cookie) for localStorage. Couple of searches later I got my solution:

javascript:for(var i=0;i<localStorage.length;i++){alert(localStorage.key(i)+”:”+localStorage.getItem(localStorage.key(i)));}

We can use the code above to execute it on the local context of a page and return all the objects inside the localStorage.