We found that the web application stored the JSON Web Token in HTML5 local storage.

Implication and Impact

A JWT needs to be stored safely inside the user’s browser. If the JSON Web Token is stored inside the
session or local storage, it’s accessible by any script inside the page. In addition, if any third-party scripts on
the page get compromised, it can access all users’ tokens.
It should be noted that the ability to access the authorization token using JavaScript is necessary for some
architectures and should not be treated as a vulnerability but a security issue because the risk of token
compromisation still exists.

Affected resources

• https://xxx.com:444

Recommendations

Consider storing authorization tokens in the web application cookies with proper security attributes set. When
used with the “HttpOnly” cookie flag, cookies are not accessible through JavaScript and are immune to XSS.
Also, consider the setting of the “Secure” cookie flag to guarantee the cookie is only sent over HTTPS and the
“SameSite” cookie flag to prevent the browser from sending this cookie along with cross-site requests.