Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS attacks can steal tokens #4

Open
Toerktumlare opened this issue Jun 15, 2021 · 0 comments
Open

XSS attacks can steal tokens #4

Toerktumlare opened this issue Jun 15, 2021 · 0 comments

Comments

@Toerktumlare
Copy link

Toerktumlare commented Jun 15, 2021
edited
Loading

Storing tokens in memory is a huge security risk when it comes to XSS-attacks.

If a malicious actor manages to perform such an attack, the actor can use the clients token, and do whatever requests that are allowed for the current logged in user. This is why sessions cookies are used with the httpOnlyflag active so that javascript cant reach the session-cookie.

Storing the token so that it is reachable by javascript is extremely dangerous.

OWASP cheat sheet writes:

Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this
risk using the httpOnly flag.

The same recommendation goes for the ApolloClient in memory cache.

Using JWT as a "session replacement" is in general bad practice:

As to why can be read here.

Stop Using JWT For Sessions
Stop Using Jwt For Sessions part 2 why your solution doesnt work

Here are some general good practices for JWT
JWT best practices
@Toerktumlare Toerktumlare changed the title Storing token in memory is a huge security risk. XSS attacks can steal tokens Jun 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Toerktumlare