Prior to HTML5, the only way a web application could store information persistently or on a session basis in a user's computer was through cookies. In this new version of the language, new storage options, called web storage, are added, namely local storage and session storage. These allow an application to store and retrieve information from a client (browser) using JavaScript, and this information is kept until explicitly deleted, in the case of local storage, or in the case of session storage, until the tab or window that saved it is closed.

In this recipe, we will use XSS vulnerabilities to retrieve information from the browser's web storage, showing that this information can be easily exfiltrated by an attacker if an application is vulnerable.