LocalStorage Blues
A rap about what happens when “remember me” becomes “remember everything, forever, in plaintext, for anyone with XSS access.”
Vocals, lyrics & production: Dennis Schmock
Based on a true story
This song documents actual vulnerabilities found in production code: plaintext credentials in localStorage, logout functions that didn't clear sensitive data, “remember me” checkboxes that stored PINs permanently, and SSO tickets sitting in client-side storage waiting for XSS exploitation.
These aren't exotic edge cases. They're Tuesday afternoon bugs that should've been caught by tests.
The vulnerabilities
This song catalogs real security flaws that tests should catch:
- Plaintext credentials in localStorage — username, PIN, password stored without encryption
- Broken logout — cleared SSO ticket but left all other sensitive data
- “Remember me” storing PINs — permanent client-side storage of authentication secrets
- XSS-exploitable session tokens — SSO tickets in localStorage instead of HttpOnly cookies
- Missing CSP headers — no Content Security Policy to prevent injection attacks
- GDPR violations — sensitive data persisted without consent or proper deletion
Every one of these should have been caught by security tests before deployment. They weren't exotic attacks — they were “inspect element, copy token, win” vulnerabilities.
Want to avoid these bugs?
Check out Ward #1: Yes, You Can Actually Build Good Software With AI for a test-driven approach that catches security bugs before they ship.