V3 - Session Management
Insecure Storage of JWT Token
POC
- Login into the application with any valid user account;
- Check a browser's Local Storage
- Observe that JWT token is stored in Local Storage
- If an attacker can achieve running JavaScript in the Securing single page (SPA) using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage.
Impact
Low
Likelihood
Low