Security Test - Storage Theft

Collector Log

Payloads in the Live Output column run automatically in sandboxed iframes. Fetch and beacon calls appear here (auto-refreshes every 2 s).

Waiting for hits…

Case Name Payload Expected Behavior Live Output

Steal localStorage

Storage Theft Security Test Cases
Case	Name	Payload	Expected Behavior
B1	Steal localStorage	`<script>fetch('/collect/local?value=' + encodeURIComponent(localStorage.getItem('token') \|\| ''))</script>`	Crawler output should not execute localStorage-reading script text.
B2	Steal sessionStorage	`<script>fetch('/collect/session?value=' + encodeURIComponent(sessionStorage.getItem('token') \|\| ''))</script>`	Crawler output should not execute sessionStorage-reading script text.
B3	Steal cookies and both storage objects	`<script>fetch('/collect/all', {method:'POST', body: JSON.stringify({cookie: document.cookie, local: {...localStorage}, session: {...sessionStorage}})})</script>`	Crawler output should keep combined credential-reading payload text inert.

<script>fetch('/collect/local?value=' + encodeURIComponent(localStorage.getItem('token') || ''))</script>

Crawler output should not execute localStorage-reading script text.

Steal sessionStorage

<script>fetch('/collect/session?value=' + encodeURIComponent(sessionStorage.getItem('token') || ''))</script>

Crawler output should not execute sessionStorage-reading script text.

Steal cookies and both storage objects

<script>fetch('/collect/all', {method:'POST', body: JSON.stringify({cookie: document.cookie, local: {...localStorage}, session: {...sessionStorage}})})</script>

Crawler output should keep combined credential-reading payload text inert.

Back to crawl test home