085 – Sensitive data stored in client-side storage

Description

The application stores sensitive information in the client-side storage (localStorage or sessionStorage). This exposes the information to unauthorized read operations.

Impact

Obtain sensitive information through XSS or MitB attacks.

Recommendation

Do not use the client side storage to store sensitive information, use cookies instead by defining their respective security attributes.

Threat

Attacker with physical or virtual access to the victims browser.

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 177 - Avoid caching and temporary files
• 329 - Keep client-side storage without sensitive data

Fixes

• Csharp
• Ruby

Last updated

2024/02/12