Leakage of sensitive data in local storage

• Rule ID: javascript_lang_session
• Languages: javascript
• Source: session.yml

Description

Storing sensitive data in localStorage poses a security risk. This vulnerability occurs when sensitive information is saved in the browser's local storage, making it susceptible to unauthorized access.

Remediations

• Do not store sensitive data in localStorage. This method exposes sensitive information to potential security threats.

  localStorage.setItem('user', email); // unsafe

• Do use server-based session storage solutions to keep session data secure. This approach minimizes the risk of sensitive data exposure.
• Do store only non-sensitive data in localStorage, such as a unique identifier, to reduce security risks.

  localStorage.setItem('user', user.uuid);

References

• OWASP sensitive data exposure

Associated CWE

• CWE-312: Cleartext Storage of Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_session

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_session