12 Matching Annotations
- Aug 2022
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
- Jun 2021
-
disqus.com disqus.com
-
In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
-
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
-
Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
-
-
pragmaticstudio.com pragmaticstudio.com
-
That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
-
But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
-
- May 2021
-
-
the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
-
-
en.wikipedia.org en.wikipedia.org
-
Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.
-
- Feb 2021
-
stackoverflow.com stackoverflow.com
-
IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited
-
- Dec 2020
-
github.com github.com
-
${JSON.stringify(state)}
-
XSS mitigation
-
- Oct 2020
- May 2020