Menu
Can localstorage value of a site be overwritten by xss(cross-site-scripting)? As far as I have verified in chrome and firefox, the localstorage value of a site is not accessible by a different site. Can anyone tell me whether the localstorage value can be read/write from a different domain in the browser by xss ?
641
Both SessionStorage and LocalStorage are vulnerable to XSS attacks. Therefore avoid storing sensitive data in browser storage. It's recommended to use the browser storage when there is, No sensitive data.
On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.
As local storage was never intended to be secure, there is no data protection and any JavaScript on the website can access it. Hackers can exploit the existing XSS vulnerability on the website like the following screenshot when the user browses to https://set-localstorage.herokuapp.com/xss-injected-page.html.
If you store it inside localStorage, it's accessible by any script inside your page. This is as bad as it sounds; an XSS attack could give an external attacker access to the token. To reiterate, whatever you do, don't store a JWT in local storage (or session storage).
Nowadays many websites, add third-party js libraries for Analytic, A/B testing, Marketing tools, Heat maps and ... You may be sure about your codes but if one of these scripts, is vulnerable then you should expect XSS attack easily and in this case, It can grab your localStorage. Don't use local storage for session identifiers or sensitive tokens. Stick with cookies and use the HTTPOnly and Secure flags. To prevent CSRF attacks on Cookies, almost all requests include one or both of: Origin Header and Referer Header. CSRF can be partially prevented by checking the HTTP Referer and Origin header from your API. CSRF attacks will have Referer and Origin headers that are unrelated to your application.
152
Javascript coming from reflected XSS or similar can do whatever normal JS can do on the domain where the XSS exists. So if example.com has stored things in localStorage and example.com also has an XSS flaw, then that XSS vuln can be used to extract or overwrite users data in localStorage. You could even use a reflected XSS, which exploits a DOM-based XSS using data from localStorage, meaning a client side persistent XSS.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
