Cobalt Vulnerability Wiki

V3 - Session Management

Insecure Storage of JWT Token

Login into the application with any valid user account;
Check a browser's Local Storage
Observe that JWT token is stored in Local Storage
If an attacker can achieve running JavaScript in the Securing single page (SPA) using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage.

Low

Low

Join some of these great clients we’re proud to have helped