ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3271/javascript/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

55 lines
2.1 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Session storage and local storage are HTML 5 features which allow developers to easily store megabytes of data client-side, as opposed to the 4Kb cookies can accommodate. While useful to speed applications up on the client side, it can be dangerous to store sensitive information this way because the data is not encrypted by default and any script on the page may access it.
This rule raises an issue when the ``++localStorage++`` and ``++sessionStorage++`` API's are used.
=== Noncompliant code example
[source,javascript]
----
localStorage.setItem("login", login); // Noncompliant
sessionStorage.setItem("sessionId", sessionId); // Noncompliant
----
== Resources
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Remove all use of ["localStorage"|"sessionStorage"]; use a cookie or store the data on the server instead.
'''
== Comments And Links
(visible only on this page)
=== on 15 Jul 2015, 12:05:37 Ann Campbell wrote:
\[~linda.martin] please take note of SQALE as you review. From a practical standpoint I'm imagining one issue per file (on first use?) with cost incremented per use of the API. Usually we use linear-with-offset for things related to size, but fixing this will require a large initial investment in design and implementation of a different approach, and then incremental effort to address each use of the API.
Do you agree that this is appropriate? Or should we just assess one high cost per file?
=== on 17 Aug 2015, 10:17:49 Linda Martin wrote:
\[~ann.campbell.2] I agree, looks fair to me
=== on 10 Jan 2020, 10:16:41 Eric Therond wrote:
Should be deprecated because:
* No compliant solution to propose
* Could be noisy, localStorage / sessionStorage use is very common
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink