Details
Alert ID 120001-2
Alert Type Client Passive
Status alpha
Risk Low
CWE 359
WASC 13
Technologies Targeted All
Tags CWE-359
More Info Scan Rule Help

Summary

Sensitive Information appears to have been stored in browser sessionStorage. This can violate PCI and most organizational compliance policies. For more details see the Client tabs - this information was set directly in the browser and will therefore not necessarily appear in this form in any HTTP(S) messages.

Solution

Do not store sensitive information in browser storage.

Other Info

The following data (key=value) was set which matches the pattern for email addresses: key=value Note that alerts will only be raised once for each URL + key.

References

Code

org/zaproxy/addon/client/pscan/SensitiveInfoInStorageScanRule.java