- Testing for Logout Functionality (OWASP, WSTG-SESS-06)
If access tokens and refresh tokens are used, see tokens in OAuth. The refresh token should be invalidated at logout.
Reporting
| CVSS Score v3 | 4.3 |
| CVSS Vector v3 | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N&version=3.1 |
English
| Title | Logout functionality leaving sensitive information |
| Description | When using the logout functionality in the application, some sensitive information remains in the cookies, local storage and session storage (e.g. userid). |
| Steps to reproduce | Log into the application. Using the browser Inspector (Firefox was used during the tests), inspect the cookies, local storage and session storage to see if the log out functionality left sensitive information. Log out. Include screenshots. |
| Remediation | It is recommended to remove sensitive information from cookies, local storage and session storage when the user logs out of the application. Difficulty level to fix this vulnerability is assessed at “Simple”. |