1. Documentation
2. The ZAP Desktop User Guide
3. Add-ons
4. Client Side Integration
5. Client Side Integration - Passive Scan Rules

Client Side Integration - Passive Scan Rules

The Client Side Integration add-on supports passive scanning of the data streamed from the browser.

The following rules are included in this add-on:

Information Disclosure - Information in Browser Storage

This rule reports any information stored in browser localStorage and sessionStorage.

This is not unusual or necessarily unsafe - this informational alerts are raised to help you get a better understanding of what this app is doing.

The alert parameter will be the storage key used. An alert will only be raised once for each URL + key.

Latest code: InformationInStorageScanRule.java
Alert ID: 120000.

Information Disclosure - Sensitive Information in Browser Storage

This rule reports any sensitive information stored in browser localStorage and sessionStorage.

This can violate PCI and most organizational compliance policies.

Potentially sensitive information identified includes:

• Credit card numbers
• Email addresses
• US Social security numbers

The alert parameter will be the storage key used. An alert will only be raised once for each URL + key.

Latest code: SensitiveInfoInStorageScanRule.java
Alert ID: 120001.

Information Disclosure - JWT in Browser Storage

This rule reports any JWTs stored in browser localStorage and sessionStorage.

JWTs are commonly stored in sessionStorage so these are just raised as Informational alerts.

JWTs should not typically be stored in localStorage so these are raised as Medium alerts.

The alert parameter will be the storage key used. An alert will only be raised once for each URL + key.

Latest code: JwtInStorageScanRule.java
Alert ID: 120002.