Demonstration of some client-side web application vulnerabilities (DOM XSS, Clickjacking) and wrong usage of local storage.
Switch branches/tags
Nothing to show
Pull request Compare This branch is even with thomaspatzke:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Clientside Vulnerabilities Demo App

This little project contains a vulnerable application (NeverNote) and
attacks against it for demonstration purposes. I use it to demonstrate
some clientside web application attacks, particullary:

- DOM-based XSS

- Peristence of JavaScript-based malware in code cached in the LocalStorage

- Clickjacking


Put the files on a web server or start lighttpd with the provided
configuration file (adapt web root!) from the root directory of this
project. I use this command line:

lighttpd -f lighttpd.conf -D

With the provided files the following demonstration apps/pages can be used:

- http://localhost:8000/nevernote/v1/nevernote.html: Vulnerable version of demo app

  * Note viewer is vulnerable against DOM-based XSS, e.g. add the following payload:

    <img src=x onerror=alert(document.domain)>

  * Has fast-add feature by URL fragment:


    Do you see a random token? ;-)

  * Click on app-banner in bottom right corner to access some debug functionality.

- http://localhost:8000/nevernote/v2/nevernote.html: Not vulnerable
  against DOM-based XSS. But infection previously done in v1 is still
  present until cache is cleaned.

- http://localhost:8000/attacker/attack.html: Add DOMXSS payload by fast-note

- http://localhost:8000/attacker/infect.html: Add note with XSS
  payload that "infects" apps locally cached JS

- http://localhost:8000/attacker/infect.js: Infect payload used by
  infect.html - it adds some code to locally cached JS of nevernote.js
  which submits newly added notes to logger.

- http://localhost:8000/attacker/ Logs value of parameter
  msg in log/<parameter apps>.log

- http://localhost:8000/attacker/clickjacking.html: a clickjacking
  attack against the note app. The click point "X" is above the
  transparent frame at loading time but drops below on mouseover
  event. After five seconds a message appears that the user won. The
  click point is placed on the delete button of the first note. If the
  user clicks fast on it as instructed, many notes are deleted. Verify
  position of click point before live demos! It may be displaced on
  some resolutions/conditions.


This app shows:

- (locally stored) DOM-based XSS.

- Why browser local storages of users must be considered as
  compromised after a XSS vulnerability was present. And why it is a
  bad idea to cache JavaScript code manually in the local storage.

- Why fixes must also consider the client side.

- Clickjacking

Copyright 2013 Thomas Skora <>

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <>.