Transferring values between localStorage
and sessionStorage
can expose sensitive information unwittingly.
HTML5 provides localStorage
and sessionStorage
maps to allow developers to persist program values. The sessionStorage
map provides storage for the invoking page and lasts only for the duration of the page instance and the immediate browser session. The localStorage
map, however, provides storage that is accessible over multiple page instances and multiple browser instances. This functionality allows an application to persist and utilize the same information in multiple browser tabs or windows.
For example, a developer may wish to utilize multiple browsers tabs or instances in a travel application that wants to allow a user to open multiple tabs to compare accommodations while still maintaining the users original search criteria. In the traditional HTTP storage scenario, the user risks purchases and decisions made in one tab (and stored in the session or cookies) interfering with purchases in another tab.
With the ability to utilize user values across multiple browser tabs, developers must be careful not to move sensitive information from the sessionStorage
scope to the localStorage
or vice versa.
Example: The following example stores the credit card CCV information in the session to indicate that a user has already authorized the site to charge the card on file for a purchase. For each purchase attempt within the context of the browser tab, credit card approval is required. To avoid the CCV being entered again, the information is stored in the sessionStorage
object. However, the developer also stores the information within the localStorage
object.
...
try {
sessionStorage.setItem("userCCV", currentCCV);
} catch (e) {
if (e == QUOTA_EXCEEDED_ERR) {
alert('Quota exceeded.');
}
}
...
...
var retrieveObject = sessionStorage.getItem("userCCV");
try {
localStorage.setItem("userCCV",retrieveObject);
} catch (e) {
if (e == QUOTA_EXCEEDED_ERR) {
alert('Quota exceeded.');
}
...
var userCCV = localStorage.getItem("userCCV");
...
}
...
localStorage
object, the CCV information is now available in other browser tabs and also on new invocations of the browser. This will by-pass the application logic for the intended workflow.[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 501
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[7] Standards Mapping - FIPS200 - (FISMA) SI