Sensitive data stored in client-side storage

Description

The application stores sensitive information in the client-side storage (localStorage or sessionStorage). This exposes the information to unauthorized read operations.

Impact

Obtain sensitive information through XSS or MitB attacks.

Recommendation

Do not use the client side storage to store sensitive information, use cookies instead by defining their respective security attributes.

Threat

Attacker with physical or virtual access to the victims browser.

Expected Remediation Time

⏱️ 120 minutes.

Requirements

177 - Avoid caching and temporary files 329 - Keep client-side storage without sensitive data 375 - Remove sensitive data from client-side applications

Rules

Dart Insecure Data Storage Javascript Sensitive Information Indexeddb Typescript Client Storage Exposure Typescript Sensitive Information Indexeddb Javascript Client Storage Exposure

Fixes

Csharp Ruby