In this section, we'll look at HTML5-storage manipulation using the DOM, point out potentially dangerous sinks that can be used as part of this kind of attack, and suggest ways to reduce your exposure to HTML5-storage manipulation.
HTML5-storage manipulation vulnerabilities arise when a script stores attacker-controllable data in the HTML5 storage of the web browser (either
sessionStorage). An attacker may be able to use this behavior to construct a URL that, if visited by another user, will cause the user's browser to store attacker-controllable data.
The following are some of the main sinks that can lead to DOM-based HTML5-storage manipulation vulnerabilities:
In addition to the general measures described on the DOM-based vulnerabilities page, you should avoid allowing data from any untrusted source to be placed in HTML5 storage.