stackoom
  简体   繁体   中英

Protecting access token from XSS attack

 原文  2020-08-07 05:18:14       javascript/ cookies/ xss

Question

I've been doing some research on where to store access token after login. People say local storage is not secure since it can be read using javascript (vulnerable to XSS) and recommend http-only cookies instead.

But let's say my website is vulnerable to XSS and some malicious code gets run to fetch data from my API. It should still work since the cookie just gets automatically added to the request right? They don't know what the cookie is but the request still works in the end. With XSS the malicious code would be running as if it is from my site.

Am I correct in this?

1 answers

solution1
 1  2020-08-07 10:30:06

You are correct, the attacker will able to make what ever your api allows.

The Idea behind "saving the token in an HTTP only cookie" is to prevent from client side to access the token in order to steal it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question prevent url from xss attack in javascript XSS attack from url get variable How to prevent XSS attack from the ASP Protecting web application from CSRF attack using Spring Security Protecting from XSS in escape_javascript() output in Rails XSS Attack for Modifying the URL Detecting DOM XSS attack Preventing XSS Attack on Form XSS attack prevention How is this XSS attack working?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM