search

dwyl / learn-json-web-tokens

:closed_lock_with_key: Learn how to use JSON Web Token (JWT) to secure your next Web App! (Tutorial/Example with Tests!!)
MIT License
4.18k stars 254 forks source link

Security vulnerabilities #97

Open jsardev opened 5 years ago

jsardev commented 5 years ago

Just a suggestion: it would be cool to add some information about security concerns in different JWT storage methods on the client-side (cookie/localStorage) - XSS, CSRF etc.

nelsonic commented 5 years ago

@sarneeh thank you for opening this issue. ๐Ÿ‘ If you have time to create a Pull Request please go for it! (you have write access to this repository)

Security concerns applicable to JWTs are the same as for other token schemes. If a malicious user is able to run an XSS attack on the domain they will be able to acquire the JWT and use it to impersonate the user regardless of how it is stored on the client. Malicious JS can read and leak cookies and localStorage just as easily.

We should advise people using JWTs that they do not protect against OWASP attacks and are merely a convenient way of transmitting signed claims/data. ๐Ÿ“

jsardev commented 5 years ago

@nelsonic

Security concerns applicable to JWTs are the same as for other token schemes. If a malicious user is able to run an XSS attack on the domain they will be able to acquire the JWT and use it to impersonate the user regardless of how it is stored on the client. Malicious JS can read and leak cookies and localStorage just as easily.

I partially agree. You have something like a httpOnly and secure cookie which prevents an attacker from acquiring your JWT. But I totally agree that if you're open to XSS attacks, this doesn't protect you from anything as someone can do stuff on behalf of the user (not stealing the token, but i.e. injecting a malicious script).

So I guess that in the end, it doesn't matter if you use localStorage or a cookie - if you're open to OWASP attacks - you're screwed. But if you're protected against them - you should be safe with both methods.

I'd love to prepare some PR but I'm hard on time right now and will be free just in the next 1-2 months. If someone won't outrun me I'll prepare some PR ๐Ÿ˜„

ilan-schemoul commented 4 years ago

@sarneeh thank you for opening this issue. If you have time to create a Pull Request please go for it! (you have write access to this repository)

Security concerns applicable to JWTs are the same as for other token schemes. If a malicious user is able to run an XSS attack on the domain they will be able to acquire the JWT and use it to impersonate the user regardless of how it is stored on the client. Malicious JS can read and leak cookies and localStorage just as easily.

We should advise people using JWTs that they do not protect against OWASP attacks and are merely a convenient way of transmitting signed claims/data.

As said above cookie can have httpOnly option. According to this article it is really unsecure to use localstorage instead of httponly cookie

While I feel like I made myself clear that you should never ever store sensitive information in local storage in the previous section, I feel the need to specifically call out JSON Web Tokens (JWTs). The biggest security offenders I see today are those of us who store JWTs (session data) in local storage. Many people donโ€™t realize that JWTs are essentially the same thing as a username/password. If an attacker can get a copy of your JWT, they can make requests to the website on your behalf and you will never know. Treat your JWTs like you would a credit card number or password: donโ€™t ever store them in local storage.