Keep client-side storage without sensitive data
Summary
Personal, sensitive and session data must not be stored in the client-side storage (localStorage, sessionStorage, cookies without security attributes, mobile device unencrypted storage, etc.).
Description
Data placed in the localStorage persists after a session is closed and thus, any actor with access to the browser will be able to obtain it. Furthermore, data in the localStorage or in the sessionStorage is visible to scripts that are running on the browser, and these scripts could belong to malicious third-parties. Therefore, no sensitive or session information should be stored in the client-side storage.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-74. Manipulating state
- CWE™-922. Insecure storage of sensitive information
- ePrivacy Directive-4_1a. Security of processing
- GDPR-5_1f. Principles relating to processing of personal data
- GDPR-R51. Protecting sensitive personal data
- NIST 800-63B-7_1. Session bindings
- OWASP TOP 10-A2. Cryptographic failures
- PDPA-6_24. Protection of personal data
- PDPO-S1_4. Security of personal data
- CMMC-AC_L2-3_1_19. Encrypt CUI on mobile
- CMMC-CM_L2-3_4_9. User-installed software
- CMMC-SC_L2-3_13_16. Data at rest
- HITRUST CSF-09_q. Information handling procedures
- FedRAMP-SC-28. Protection of information at rest
- ISA/IEC 62443-DC-4_1. Information confidentiality
- OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
- ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
- ISSAF-T_14_3. Web application assessment - Cookie manipulation
- OWASP SCP-8. Data protection
- BSAFSS-SM_3-1. Supply chain data is protected
- BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure
- OWASP ASVS-1_8_2. Data protection and privacy architecture
- OWASP ASVS-8_2_1. Client-side data protection
- C2M2-9_5_b. Implement data security for cybersecurity architecture
- SIG Lite-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
- CASA-1_8_2. Data Protection and Privacy Architecture
- CASA-8_2_1. Client-side Data Protection
- CASA-8_2_2. Client-side Data Protection
Vulnerabilities
- 085. Sensitive data stored in client-side storage
- 283. Automatic information enumeration - Personal Information
- 351. Automatic information enumeration - Corporate information
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.