Local IndexedDB in Browser - is it really a security risk?



  • We have a web application that stores cached information in browser (both is firefox and chrome).

    When we subjected it to Penetration Testing, a finding was filed saying that "Senstive Data such as Database Name, Storage and Version were found stored in the local IndexedDB".

    Although clicking each DB do not reveal any information inside it.

    enter image description here

    enter image description here

    My question is - is this really an issue? as far as I know, the Database Name, Storage and Version are like autogenerated information and not really sensitive information from the application.

    Can anyone help us and shed some light on this?



  • When we subjected it to Penetration Testing, a finding was filed saying that "Senstive Data such as Database Name, Storage and Version were found stored in the local IndexedDB".

    The people who performed your pen test should be providing you with some evidence, screenshot, full/redacted values they obtained. It is possible they just ran an automated tool that say some form of local storage and they just complained about that in general. I would go back and ask them to clarify exactly what they found and why its a problem.

    As client-side storage, I would assume the data present will depend on the client and what they were doing in the app. The DB may be empty when you visit, but maybe the account they used for their attack had access to other data.

    If you have third party JavaScript which is allowed to read from IndexedDB and you store an API key or something like that there then the third party script could obtain it, in contrast to using a cookie with the httponly attribute.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2