In this recipe, we first analyzed the behavior of the application, noticing that it didn't connect to the server to add information to the page and that it reflected a value given by the user. Later, we analyzed the script code that adds the data to the browser's internal storage, and noticed that such data may not be properly validated and presented back to the user via the innerHTML property, at least for the key value, which implies that the data is treated as HTML code, not as text.

To try this lack of validation, we first inserted some text with HTML header tags and got the code interpreted by the browser. Our last step was to attempt an XSS proof of concept that was successful.