1
00:00:00,820 --> 00:00:05,500
So the HTML5 Web storage feature, it has two objects.
2
00:00:06,430 --> 00:00:10,930
These are local storage and sessions, storage objects.
3
00:00:13,010 --> 00:00:19,040
Now, this feature is supported in all major modern browsers like Firefox, Chrome and all the others.
4
00:00:20,020 --> 00:00:25,360
And be where we're going to exploit a local storage object.
5
00:00:27,050 --> 00:00:33,350
OK, so this feature, local storage, it lets Web applications store data locally on the user's browser.
6
00:00:34,730 --> 00:00:43,250
And then this data is in key value format, so you can think of it like cookies, but the data stored
7
00:00:43,250 --> 00:00:48,530
in the local storage isn't sent to the Web server as opposed, you know, like cookies.
8
00:00:49,430 --> 00:00:53,630
And that's what makes it faster and so much better than cookies.
9
00:00:55,680 --> 00:01:03,450
So many developers prefer to use a local or session storage to hold sensitive data about local storage
10
00:01:03,450 --> 00:01:05,610
is no more secure than cookies are.
11
00:01:07,090 --> 00:01:14,080
In fact, the data in local storage objects can be stored for weeks, even years, and also Web storage
12
00:01:14,080 --> 00:01:19,910
or what we're actually calling local storage, is origin specific.
13
00:01:20,650 --> 00:01:27,970
So all pages from one origin can store and access the same data.
14
00:01:30,010 --> 00:01:36,370
So go to Cali and open, be web, choose HTML five Web storage from the drop down menu.
15
00:01:37,840 --> 00:01:40,330
Hey, it's nothing but a simple page.
16
00:01:41,490 --> 00:01:45,360
And also, the page advises how to grab local storage data.
17
00:01:46,110 --> 00:01:49,020
OK, so now open the web developer tool.
18
00:01:50,210 --> 00:01:51,650
Go to the storage tab.
19
00:01:52,790 --> 00:01:58,700
Open local storage node, and here is the data in key value form.
20
00:02:00,700 --> 00:02:02,620
So this is our data in our browser.
21
00:02:03,850 --> 00:02:05,080
Where's the problem, you ask?
22
00:02:06,580 --> 00:02:09,430
Or is it just risky coding behavior?
23
00:02:10,870 --> 00:02:16,660
Well, it depends on your point of view, the data in local storage is stored in a computer.
24
00:02:17,470 --> 00:02:25,810
A local storage object stores the data with no expiration date, so the data will not be deleted when
25
00:02:25,810 --> 00:02:33,920
the browser is closed and it will be available the next week, day, year, whatever month doesn't matter.
26
00:02:35,050 --> 00:02:40,750
So somehow if someone were to gain access to the computer, they can easily extract this data, don't
27
00:02:40,750 --> 00:02:41,100
you think?
28
00:02:43,210 --> 00:02:45,850
And now another problem is an excess attack.
29
00:02:47,000 --> 00:02:52,790
So if the application has access as vulnerability, this data is also in danger.
30
00:02:54,790 --> 00:02:59,920
All right, so let's close up the developer tool and view the page source.
31
00:03:01,830 --> 00:03:11,310
Now, I'm going to zoom in for you, so looky here, there is the JavaScript code right here and this
32
00:03:11,340 --> 00:03:14,040
adds data to the local storage.
33
00:03:14,310 --> 00:03:15,660
So let's scroll down a little bit.
34
00:03:16,560 --> 00:03:18,510
Maybe we'll see something suspicious.
35
00:03:19,740 --> 00:03:21,480
No, I don't see anything.
36
00:03:22,680 --> 00:03:28,780
Anyway, to exploit and gather data from local storage, we will need an access vulnerability.
37
00:03:30,780 --> 00:03:31,810
And guess what?
38
00:03:32,400 --> 00:03:39,030
Thankfully, we have dozens of them, so go to excess as underscore, get that BHP.
39
00:03:40,740 --> 00:03:43,430
So this page is vulnerable to excess.
40
00:03:44,510 --> 00:03:51,680
And for a quick validation, that's just type your the famous payload script, alert document, cookie
41
00:03:51,680 --> 00:03:53,600
script and then go.
42
00:03:55,100 --> 00:03:56,410
Well, it really has, right?
43
00:03:57,960 --> 00:04:03,750
OK, so we can view the content of the local storage in an alert message.
44
00:04:05,050 --> 00:04:08,320
But, of course, I prefer to send it to our kooky Steeler application.
45
00:04:10,290 --> 00:04:12,870
So I'm going to use this payload.
46
00:04:13,750 --> 00:04:14,920
It's copy it.
47
00:04:18,420 --> 00:04:20,160
And over the web developer tool.
48
00:04:21,620 --> 00:04:23,960
And go to network tab.
49
00:04:25,450 --> 00:04:27,310
Now, paste it here and then go.
50
00:04:29,670 --> 00:04:34,470
All right, so here are the requests it sends the data to our STIHLER app.
51
00:04:35,350 --> 00:04:38,470
Now go to our Steeler app, refresh.
52
00:04:39,980 --> 00:04:41,390
And we have one session.
53
00:04:42,480 --> 00:04:44,370
OK, so log into the application.
54
00:04:45,560 --> 00:04:47,030
And look at the first line.
55
00:04:47,720 --> 00:04:57,020
It is not a recession, but it is the data in the local storage of the target by the boom.