Consider not storing sensitive information on LocalStorage if the tradeoff pays off #36

lealceldeiro · 2020-04-11T07:31:39Z

Describe the bug
Sensitive information stored in the local-storage can be stolen by using an XSS attack

To Reproduce

Follow attack demos in the linked source

Expected behavior
Do not store sensitive information such as username, security tokens, etc, in local storage.

Instead it can be used:

Cookies and use the HTTPOnly and Secure flags
Session storage

Additional context
Consider modifying some of the classes involved in the front-end in storing this kind of sensitive information. i.e.:

SessionService

The text was updated successfully, but these errors were encountered:

lealceldeiro · 2020-04-11T07:38:21Z

A good source of other references link is https://stackoverflow.com/a/35347022/5640649

lealceldeiro added bug client Issues related to the frontend. labels Apr 11, 2020

lealceldeiro self-assigned this Apr 11, 2020

lealceldeiro changed the title ~~Do not store sensitive information on LocalStorage~~ Consider not storing sensitive information on LocalStorage if the tradeoff pays off Apr 11, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Consider not storing sensitive information on LocalStorage if the tradeoff pays off #36

Consider not storing sensitive information on LocalStorage if the tradeoff pays off #36

lealceldeiro commented Apr 11, 2020

lealceldeiro commented Apr 11, 2020

Consider not storing sensitive information on LocalStorage if the tradeoff pays off #36

Consider not storing sensitive information on LocalStorage if the tradeoff pays off #36

Comments

lealceldeiro commented Apr 11, 2020

lealceldeiro commented Apr 11, 2020