Javascript Local Storage With Sensitive Data
Description
Detects when sensitive data is stored in browser localStorage, which is an insecure client-side storage mechanism. Since localStorage persists data unencrypted and is accessible via JavaScript, storing sensitive information like credentials or tokens creates security risks.
Detection Strategy
• Check for calls to localStorage.setItem() or similar storage methods
• Analyze the data being stored to identify sensitive information like tokens, passwords, or PII
• Look for localStorage access following HTTP requests/responses to identify stored API data
• Verify if the stored data includes sensitive values from cookies, form inputs, or API responses
Vulnerable code example
const axios = require('axios');
async function fetchAndStore() {
// Vulnerable: Directly storing raw HTTP response in localStorage without sanitization
const response = await axios.get('https://api.example.com/data');
localStorage.setItem('userData', response); // Could contain malicious scripts/content
// Another vulnerable pattern with fetch API...✅ Secure code example
const axios = require('axios');
async function fetchAndStore() {
try {
// Sanitize API response by only extracting needed data and converting to string
const response = await axios.get('https://api.example.com/data');
const sanitizedData = JSON.stringify(response.data); // Only store parsed data, not raw response
localStorage.setItem('userData', sanitizedData);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.