We need to Point out as Importent Note that You should never store Sensitive stuff like Credentials in Localstorage! No JWT at all. I know this is not a direct issue of this but it will help a lot to make the web a better place Credentials and sensitive data needs to be stored Secure in Memory or in a Secured Cookie
justinbmeyer
commented
5 years ago
We need to Point out as Importent Note that You should never store Sensitive stuff like Credentials in Localstorage! No JWT at all. I know this is not a direct issue of this but it will help a lot to make the web a better place Credentials and sensitive data needs to be stored Secure in Memory or in a Secured Cookie
Here are some good resources to read through:
http://cryto.net/%7Ejoepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ https://www.infoworld.com/article/3184582/security/critical-flaw-alert-stop-using-json-encryption.html https://hn.nuxtjs.org/item/16748400 (read lvh comments) https://github.com/paragonie/paseto (a token implementation designed to work around JWT cryptographic flaws) https://paragonie.com/blog/2018/03/paseto-platform-agnostic-security-tokens-is-secure-alternative-jose-standards-jwt-etc https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
when is local storage compromised... Read through OWASP top 10: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf (XSS has been one of the top 10 web exploits since 2013 and likely far before).