Home / Web Security / Sensitive Data LocalStorage
High Severity

🟠 Sensitive Data in LocalStorage / SessionStorage

CWECWE-922: Insecure Storage
OWASPA04:2021 Insecure Design

🧠 Description

Web applications store sensitive data like JWTs, user info, or tokens in browser localStorage or sessionStorage. These storage mechanisms are accessible via JavaScript and vulnerable to XSS attacks.

Impact: XSS Token Theft, Account Takeover, Session Hijacking

🎯 Attack Surface

  • XSS to steal localStorage tokens
  • Malicious browser extensions
  • Cross-site scripting in iframes
  • Physical access to unlocked browser

🔍 Detection

  • Open DevTools > Application > Local Storage
  • Check for: token, jwt, auth, user, email, api_key
  • Console: localStorage.getItem('token')

🛡️ Mitigation

✅ Use HTTP-only, Secure cookies for sensitive data

✅ Encrypt sensitive data before storing

✅ Implement short token expiration

✅ Use sessionStorage for temporary data
Back to Web Security