I have an application that uses react to authenticate. With the Okta library, it by default stores the id token and access token in the local storage. I then grab the access token to make an .net api call that is protected by role authorization.
I'm having difficulty understand the issue with XSS attack. My understanding is that they can inject javascript code to do something with the access token. They are only able to get their own access token by logging in normally. Why is it an issue if they are doing something with their own access token? In addition, can't the access token be found in the network call, so it's not really hidden to begin with?
Can anyone provide me with an example or explain the gaps in my logic? Thanks!
CodePudding user response:
My understanding is that the access token here will be stored in the browser (I'm not super clear on the differences between cookies and local storage but correct me if I'm wrong). When you do that .NET API call the browser knows to pass along the access token. The issue is that websites can include arbitrary JavaScript that runs on your browser, i.e. that arbitrary JavaScript can execute HTTPS requests from your browser using your access token.
In this way, the malicious agent wouldn't be creating their own access token, but instead using yours in arbitrary ways that might give them access to whatever private data you have stored behind your .NET API.
The avoid this, we limit the domains that can access our APIs. Typically, you might see APIs only allow requests from the same domain name. For example: if you API is accessible at mywebsite.com/api
then it would only allow API requests from mywebsite.com
.
edit:
Forgot to answer the "isn't the access token not hidden because it's included in a public HTTPS request" question. There's a couple of potential solutions here. On websites that use TLS (i.e. you're accessing with HTTPS), you know the public key of the website you're intending to send data to. You can use that public key to encrypt your access token and only the website will be able to decrypt it (with their private key). This way, your access token is kept secret between you and the .NET API.
CodePudding user response:
In an XSS attack there is nothing that prevents the attacker from reading values in local storage. Unless there are countermeasures such as CSP to prevent exfiltration, an XSS attack can be used to steal access tokens.
When cookies have the HttpOnly flag set they are not accessible by script. The browser will attach them on relevant requests as intended.
When requests are encrypted using HTTPS the headers will be encrypted and thus hidden.