Insecure Storage of Sensitive Information
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-922: Insecure Storage of Sensitive Information |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Storing JWT tokens in localStorage exposes them to JavaScript, making them vulnerable to theft via cross-site scripting (XSS) attacks. It’s safer to store sensitive tokens in secure, HTTP-only cookies to prevent unauthorized access.
Impact#
If an attacker exploits an XSS vulnerability, they could steal JWT tokens from localStorage and use them to impersonate users, access protected data, or perform unauthorized actions in your application, leading to potential data breaches and loss of user trust.