R329. Keep client-side storage without sensitive data

Requirement

Personal, sensitive and session data must not be stored in the client-side storage (localStorage, sessionStorage, cookies without security attributes, mobile device unencrypted storage, etc.).

Description

Data placed in the localStorage persists after a session is closed and thus, any actor with access to the browser will be able to obtain it. Furthermore, data in the localStorage or in the sessionStorage is visible to scripts that are running on the browser, and these scripts could belong to malicious third-parties. Therefore, no sensitive or session information should be stored in the client-side storage.

References

  1. CAPEC-74: Manipulating State. The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.

  2. CWE-922: Insecure Storage of Sensitive Information The software stores sensitive information without properly limiting read or write access by unauthorized actors.

  3. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  4. GDPR. Art. 5: Principles relating to processing of personal data.(1)(f). Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

  5. GDPR. Recital 51: Protecting sensitive personal data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.

  6. ISO 27001:2013. Annex A - 18.1.3 Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.

  7. NIST 800-63B 7.1 Session Bindings Secrets used for session binding SHOULD NOT be placed in insecure locations such as HTML5 Local Storage due to the potential exposure of local storage to cross-site scripting (XSS) attacks.

  8. OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

  9. OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.2) Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy