Insecure Data Storage
Insecure Data Storage
Overview of the Vulnerability
Insecure data storage can occur in both the client and server sides of an application. When data from the application is stored insecurely it is susceptible to being identified and used maliciously. An attacker with access to the insecurely stored data of this application can leverage the data to gather further information on users and the application, and use it to perform further attacks.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.
Steps to Reproduce
Login to the application and input data so that it is stored by the application
Navigate to where the application stores the gathered information
Navigate to {{url}}
Observe the application data that is stored unencrypted
Proof of Concept (PoC)
The screenshots below demonstrate the insecure data storage:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For insecure data storage findings, please include a screenshot of the data being stored unencrypted by the application.
Attempt to abuse the insecure data storage by demonstrating that the unencrypted data could be used by a malicious attacker in some impactful way. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
Where possible, do not store sensitive data. If sensitive data needs to be stored, it should be encrypted while it is being stored and transmitted to and from the application.
Last updated