← Back to sandbox
Security - Client-Side Storage Intermediate 4 possible tests

Browser Storage Exploits

This page simulates how applications misuse localStorage. Run each test, watch the storage inspector update, and identify which storage patterns are safe and which create exploitable vulnerabilities.

What are Browser Storage Exploits?

Browsers provide localStorage and sessionStorage for client-side persistence. Unlike httpOnly cookies, storage is fully readable by any JavaScript running on the page. This means any XSS vulnerability can instantly exfiltrate auth tokens, PII, or privilege flags stored there. A second class of bug occurs when the page trusts values the user wrote into storage and uses them to make access control decisions without a server-side check.

What is hidden here

True Negative Theme preference stored in localStorage. Non-sensitive data, no credentials, appropriate use of client-side storage.
Bug Found Auth token written to localStorage on login. Accessible to any script on the page; one XSS vulnerability is enough to steal the session.
Bug Found role=admin in localStorage is read by the page and used to render admin controls without a server-side verification step.
Bug Found Full name, email, and phone stored as plain text in localStorage. PII readable by every third-party script loaded on the page.

Test 1 - Theme Preference

Saving a UI preference to localStorage. This is the expected, benign use of client-side storage: non-sensitive data the user can recreate at any time.

✓ localStorage.setItem('theme', 'dark')

Test 2 - Authentication Token Storage

Simulates a login that stores the session token in localStorage instead of an httpOnly cookie. Check the storage inspector below after running this test.

✗ localStorage.setItem('auth_token', '...')

Test 3 - Client-Side Role Flag

The page reads a role key from localStorage and renders the admin panel if its value is admin. No server request is made during the check.

✗ localStorage.getItem('role') trusted for UI access control
Admin Panel - Unlocked via localStorage

You now see admin content. This section should only be visible after a server-side role check. Any user who opens DevTools and writes role=admin to localStorage can reach this on reload.

Test 4 - PII in Plain Text Storage

Simulates a "Save Profile" action that caches user PII in localStorage for faster page loads. The data is stored unencrypted and is readable by every script on the page.

✗ PII written to localStorage without encryption

Live localStorage Inspector

Shows all keys this page has written to localStorage. Updates automatically after each test.

localStorage (sandbox keys only) 
(empty)
  • Click "Save Theme Preference" - stores only a non-sensitive UI setting; localStorage is the right tool here and the data carries no risk if read by a third party (true negative)
  • Click "Simulate Login (Buggy)" - the token is written to localStorage and is now accessible via localStorage.getItem('qa_bs_auth_token') from any script on this origin; an XSS payload can steal it in one line (bug found)
  • Click "Set role=admin in Storage" - the page re-renders admin controls based on the storage value without contacting the server; any user can open DevTools and write this key themselves (bug found)
  • Click "Save Profile to Storage" - full name, email, and phone are stored as a plain JSON string; open the DevTools console and run localStorage.getItem('qa_bs_user_profile') to confirm the data is fully readable (bug found)
  • Note that httpOnly cookies are completely inaccessible to JavaScript; that is the correct pattern for session tokens