Before HTML5, the only mechanism allowing web applications to store information on the client side was a cookie. There were also some workarounds, such as Java and Adobe Flash, which brought many security concerns along with them. HTML5 now has the capability of storing structured and nonstructured persistent data in the client with two new features: Web Storage and IndexedDB.

As a penetration tester, you need to be aware of any usage of client-side storage by the application. If the information stored there is sensitive, make sure that it is properly protected and encrypted. Also, test whether stored information is used for operations further along in the application, and if it can be tampered with to generate an XSS scenario, for example. Finally, check to be sure that such information is correctly validated on input and sanitized on output.