329 – Keep client-side storage without sensitive data

Summary

Personal, sensitive and session data must not be stored in the client-side storage (localStorage, sessionStorage, cookies without security attributes, mobile device unencrypted storage, etc.).

Description

Data placed in the localStorage persists after a session is closed and thus, any actor with access to the browser will be able to obtain it. Furthermore, data in the localStorage or in the sessionStorage is visible to scripts that are running on the browser, and these scripts could belong to malicious third-parties. Therefore, no sensitive or session information should be stored in the client-side storage.

Supported In

Essential: True

Advanced: True

References

• CAPEC-74. Manipulating state
• CWE-922. Insecure storage of sensitive information
• EPRIVACY-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• GDPR-R51. Protecting sensitive personal data
• NIST80063-7_1. Session bindings
• OWASP10-A2. Cryptographic failures
• PDPA-6_24. Protection of personal data
• PDPO-S1_4. Security of personal data
• CMMC-AC_L2-3_1_19. Encrypt CUI on mobile
• CMMC-CM_L2-3_4_9. User-installed software
• CMMC-SC_L2-3_13_16. Data at rest
• HITRUST-09_q. Information handling procedures
• FEDRAMP-SC-28. Protection of information at rest
• IEC62443-DC-4_1. Information confidentiality
• OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
• ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
• ISSAF-T_14_3. Web application assessment - Cookie manipulation
• OWASPSCP-8. Data protection
• BSAFSS-SM_3-1. Supply chain data is protected
• BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure
• ASVS-1_8_2. Data protection and privacy architecture
• ASVS-8_2_1. Client-side data protection
• C2M2-9_5_b. Implement data security for cybersecurity architecture
• SIGLITE-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
• CASA-1_8_2. Data Protection and Privacy Architecture
• CASA-8_2_1. Client-side Data Protection
• CASA-8_2_2. Client-side Data Protection

Weaknesses

• 283 – Automatic information enumeration - Personal Information
• 351 – Automatic information enumeration - Corporate information
• 085 – Sensitive data stored in client-side storage

Last updated

2023/09/18