Artist Statement

DOMbase is a fully functional cyber risk assessment tool that stores all of its data in the browser's localStorage. It works. You can complete assessments, generate scores, export shareable URLs, and browse all stored records in the admin panel.

It is also, by design, catastrophically insecure.

The Premise

In the rush to build "serverless" applications and reduce infrastructure costs, developers sometimes reach for client-side storage as a database substitute. localStorage is appealing: it's simple, it's free, it persists across sessions, and it requires no backend.

DOMbase takes this pattern to its logical conclusion, building an entire enterprise security assessment platform on top of localStorage.setItem().

"Why run a database when you can just store JSON in the DOM?"
— No one who should be building security software

The Vulnerabilities

Every design decision in DOMbase represents a real anti-pattern found in production applications:

Predictable Storage Keys

Assessment records are stored under keys like assessment_acme_corp. If you know (or can guess) an organization's name, you can access their data. There's no obfuscation, no random identifiers, no access control.

No Authentication

The admin panel requires no login. Anyone who navigates to /admin.html can view all stored assessments. This mirrors real applications where administrative functions are "protected" only by obscurity—hidden URLs that anyone can discover.

Data in URLs

The "Export URL" feature encodes the entire assessment as URL parameters. This is a real pattern used by sales teams and "quick share" features. These URLs end up in browser history, server logs, analytics platforms, and shared Slack channels.

Try exporting an assessment and look at the URL. Every answer, every score, the organization name—all visible in plain text.

No Data Isolation

All assessments share the same localStorage namespace. There's no multi-tenancy, no encryption, no separation. If this were a real SaaS product, every customer using the same browser profile could see every other customer's data.

The Irony

DOMbase is a security assessment tool. It asks organizations to evaluate their cybersecurity maturity across governance, identity management, protection, detection, response, and recovery.

Meanwhile, the tool itself would fail every category it measures.

This is the joke, but it's also the point. We build tools to measure security while shipping software that undermines it. We create compliance checklists while ignoring basic data protection. We ask organizations about their access controls while our admin panels sit wide open.

The Lesson

localStorage is not a database. URLs are not secure transport. Obscurity is not access control. Client-side storage is visible to anyone with DevTools.

These aren't exotic vulnerabilities. They're the mundane consequences of prioritizing convenience over security, speed over architecture, shipping over thinking.

DOMbase exists to make these consequences visible, tangible, even a little funny. Because sometimes the best way to learn what not to do is to do it spectacularly, intentionally, and in plain sight.

Try It Yourself

Open your browser's DevTools. Go to Application → Local Storage. You'll see everything. Edit a value. Refresh the page. Watch your changes persist. This is your data. This is everyone's data.

Welcome to the DOM.