Typescript Client Storage Exposure
Description
Detects when sensitive data is exposed by storing it in client-side storage mechanisms like localStorage or sessionStorage in TypeScript/JavaScript code. This is a security risk since client-side storage is accessible to malicious scripts and can expose sensitive application data.
Detection Strategy
• Identifies assignments or operations involving browser storage APIs (localStorage, sessionStorage)
• Reports issues when sensitive data is written to client storage without proper encryption or security controls
• Specifically looks for direct storage of tokens, credentials, or other sensitive values in client-side storage
• Triggers on code patterns like 'localStorage.setItem(key, sensitiveData)' or 'sessionStorage.setItem(...)'
Vulnerable code example
function storeCredentials(token: string, password: string) {
// Vulnerable: Storing sensitive auth token in sessionStorage
sessionStorage.setItem('token', token);
// Vulnerable: Storing password in client-side storage
sessionStorage.setItem('password', password);
}✅ Secure code example
function storeCredentials(token: string, password: string) {
// Safe: Store only non-sensitive session indicators
sessionStorage.setItem('is_authenticated', 'true');
// Safe: Store expiration time instead of actual token
const tokenData = parseJwt(token);
const expirationTime = (tokenData.exp * 1000 - 45 * 60 * 1000) / 1000;
const encodedExpiration = encodeAndObfuscate(expirationTime);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.