Menu
As you know, IndexedDB and Cookie are both used for persistent storage on web browser.
Cookie-related security task has some aspects, which are Session Fixation or Session Hijacking. Attackers often use the below methods to achieve these.
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Man in the Middle (MitM)
I've been doing some research about IndexedDB security. However, there are not so many documents about this stuff.
My questions are:
211
The short answer is IndexedDB is vulnerable to malware and physical takeover attacks. It's better than many options because cryptography is done outside the browser execution environment, but it's not totally secure.
IndexedDB offers several benefits over localStorage. For instance, IndexedDB doesn't block the DOM when used with a worker, unlike localStorage. However, localStorage is slightly faster than IndexedDB. The API of localStorage is also much easier to get started with, making it the more popular choice.
Conclusion. Both cookies and localStorage are vulnerable to XSS attacks. However, cookie-based token storage is more likely to mitigate these types of attacks if implemented securely. The OWASP community recommends storing tokens using cookies because of its many secure configuration options.
While IndexedDB makes is possible to store large, nested objects as a single record (and doing so is admittedly quite convenient from a developer perspective), this practice should be avoided.
When I use IndexedDB intead of cookie, will I face the same security tasks? Why?
Consider that a cookie is sent to the server with the request whereas IndexedDB is only read once a page has loaded.
If you DO find some resources where people more knowledgeable than me have discussed the issues you raise please respond with them here.
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
