Via Localstorage sessionstorage

Sensitive Data Exposed in Local or Session Storage

Overview of the Vulnerability

Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses sensitive data in the local storage which is accessible by JavaScript. As a result, the sensitive data can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally access the sensitive data and use it in further attacks.

Business Impact

This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

  1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

  2. Use a browser to navigate to: {{URL}}

  3. Using the HTTP interception proxy, forward the following request:

{{request}}

  1. Observe the exposed sensitive data

Proof of Concept (PoC)

The following screenshot shows the sensitive data exposed via the local storage:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.

For sensitive data exposure, take a screenshot of the data that is being exposed. If the data includes PII, do not access the data as there are legal consequences for doing so.

Describe the impact of the sensitive data being exposed, do your best to describe what the impact for this data may be to the company.

Recommendation(s)

The application should securely transmit sensitive tokens, such as session identifiers, and information related to users authentication or personal information. This can be achieved by transmitting the tokens via HTTP cookies, or via hidden field forms which are submitted by using the HTTP Post method.

It is recommended to encrypt sensitive data both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.

Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.

For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere

PreviousOver Untrusted Third-PartyNextNon Sensitive Token

Last updated