Video: Pen Testing HTML 5 Web Storage

Blog Post created by webpwnized on Jun 22, 2012

Recorded at the 2012 AIDE conference, this video covers a presentation given by Jeremy Druin; a professional web application and network pen-tester. The topic is pen-testing html5 web storage which is a client-side storage technology available in html5-aware browsers. Web storage is discussed from two perspectives: altering your own web storage and altering the web storage of a remote user.


Additionally JSON injection is reviewed to show how cross site scripts can be injected in unconventional ways. A cross site script is injected in the middle of a JSON response in order to get the script to execute when the JSON is parse by the browser.


The web application used in the demonstration is Mutillidae; a deliberately vulnerable app designed to act as a realistic target for practicing web pen testing. Mutillidae comes pre-installed on Metasploitable 2 and Samurai Web Testing Framework 0.99. Mutillidae can additionally be installed on Windows or Linux using XAMPP.


The speaker is webpwnized (@webpwnized) and was recorded by Adrian Crenshaw (@irongeek_adc).