From 023a3d601535674698ded0b918a859d2a9ed965f Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Thu, 23 Jan 2025 13:00:26 +1000 Subject: [PATCH 1/3] Update to sensitive data in localstorage --- .../non_sensitive_token/template.md | 15 +++++---------- .../sensitive_token/template.md | 15 +++++---------- .../via_localstorage_sessionstorage/template.md | 15 +++++---------- 3 files changed, 15 insertions(+), 30 deletions(-) diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md index d8b4aad6..7393f61a 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md @@ -1,4 +1,4 @@ -Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a non-sensitive token in the local storage which is accessible by JavaScript. As a result, the token can be captured by an attacker using Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), allowing them to gather relevant user data and leverage this information to build phishing campaigns. +Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a non-sensitive token in the `localStorage`/`sessionStorage` which is accessible by JavaScript. As a result, the token can be captured by an attacker using Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), allowing them to gather relevant user data and leverage this information to build phishing campaigns. **Business Impact** @@ -6,18 +6,13 @@ This vulnerability can lead to data theft through the attacker’s ability to ac **Steps to Reproduce** -1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} -1. Using the HTTP interception proxy, forward the following request: - -```HTTP -{{request}} -``` - -1. Observe the exposed sensitive token +1. Right click on the page, select Inspect, then select Storage, then Local (or Session) Storage +1. Observe the exposed sensitive token: {{screenshot}} +1. In a new browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to generate a user session: {{screenshot}} **Proof of Concept (PoC)** -The following screenshot shows the non-sensitive token exposed via the local storage: +The following screenshot shows the non-sensitive token exposed via the `localStorage`/`sessionStorage`: {{screenshot}} diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md index b5b3579c..27e5ae0c 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md @@ -1,4 +1,4 @@ -Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a sensitive token in the local storage which is accessible by JavaScript. As a result, the sensitive token can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally reset a legitimate user’s account password to one they control, successfully taking over the user’s account. +Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a sensitive token in the `localStorage`/`sessionStorage` which is accessible by JavaScript. As a result, the sensitive token can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally reset a legitimate user’s account password to one they control, successfully taking over the user’s account. **Business Impact** @@ -6,18 +6,13 @@ This vulnerability can lead to data theft through the attacker’s ability to ma **Steps to Reproduce** -1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} -1. Using the HTTP interception proxy, forward the following request: - -```HTTP -{{request}} -``` - -1. Observe the exposed sensitive token +1. Right click on the page, select Inspect, then select Storage, then Local (or Session) Storage +1. Observe the exposed sensitive token: {{screenshot}} +1. In a new browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to generate a user session: {{screenshot}} **Proof of Concept (PoC)** -The following screenshot shows the sensitive token exposed via the local storage: +The following screenshot shows the sensitive token exposed via the `localStorage`/`sessionStorage`: {{screenshot}} diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md index aaa09c0e..5cf67d18 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md @@ -1,4 +1,4 @@ -Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses sensitive data in the local storage which is accessible by JavaScript. As a result, the sensitive data can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally access the sensitive data and use it in further attacks. +Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses sensitive data in the `localStorage`/`sessionStorage` which is accessible by JavaScript. As a result, the sensitive data can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally access the sensitive data and use it in further attacks. **Business Impact** @@ -6,18 +6,13 @@ This vulnerability can lead to data theft through the attacker’s ability to ac **Steps to Reproduce** -1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} -1. Using the HTTP interception proxy, forward the following request: - -```HTTP -{{request}} -``` - -1. Observe the exposed sensitive data +1. Right click on the page, select Inspect, then select Storage, then Local (or Session) Storage +1. Observe the exposed sensitive token: {{screenshot}} +1. In a new browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to generate a user session: {{screenshot}} **Proof of Concept (PoC)** -The following screenshot shows the sensitive data exposed via the local storage: +The following screenshot shows the sensitive data exposed via the `localStorage`/`sessionStorage`: {{screenshot}} From be709240e82bf1e730f5d90c7f5ffe5270a7d5cd Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Fri, 24 Jan 2025 09:55:22 +1000 Subject: [PATCH 2/3] Updated wording in template.md --- .../non_sensitive_token/template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md index 7393f61a..d892ed57 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md @@ -9,7 +9,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Use a browser to navigate to: {{URL}} 1. Right click on the page, select Inspect, then select Storage, then Local (or Session) Storage 1. Observe the exposed sensitive token: {{screenshot}} -1. In a new browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to generate a user session: {{screenshot}} +1. In a new private browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to access a user's session or data: {{replace these brackets with a screenshot}} **Proof of Concept (PoC)** From 1a498d0826598f49b1bee31c7866a77f6d7b20f1 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Fri, 24 Jan 2025 09:56:23 +1000 Subject: [PATCH 3/3] Updated Steps to Reproduce --- .../via_localstorage_sessionstorage/sensitive_token/template.md | 2 +- .../via_localstorage_sessionstorage/template.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md index 27e5ae0c..3cd9788c 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md @@ -9,7 +9,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ma 1. Use a browser to navigate to: {{URL}} 1. Right click on the page, select Inspect, then select Storage, then Local (or Session) Storage 1. Observe the exposed sensitive token: {{screenshot}} -1. In a new browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to generate a user session: {{screenshot}} +1. In a new private browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to access a user's session or data: {{replace these brackets with a screenshot}} **Proof of Concept (PoC)** diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md index 5cf67d18..b6225d38 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md @@ -9,7 +9,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Use a browser to navigate to: {{URL}} 1. Right click on the page, select Inspect, then select Storage, then Local (or Session) Storage 1. Observe the exposed sensitive token: {{screenshot}} -1. In a new browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to generate a user session: {{screenshot}} +1. In a new private browser window, perform {{action}} to show that the token in `localStorage`/`sessionStorage` can be used to access a user's session or data: {{replace these brackets with a screenshot}} **Proof of Concept (PoC)**