20 lines
943 B
Plaintext
20 lines
943 B
Plaintext
Session storage and local storage are HTML 5 features which allow developers to easily store megabytes of data client-side, as opposed to the 4Kb cookies can accommodate. While useful to speed applications up on the client side, it can be dangerous to store sensitive information this way because the data is not encrypted by default and any script on the page may access it.
|
|
|
|
|
|
This rule raises an issue when the ``++localStorage++`` and ``++sessionStorage++`` API's are used.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
localStorage.setItem("login", login); // Noncompliant
|
|
sessionStorage.setItem("sessionId", sessionId); // Noncompliant
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
|
|
|