[Owasp-leaders] HTML5 local storage..

Eoin eoin.keary at owasp.org
Thu Dec 5 10:06:42 UTC 2013


Hi Chris,
What your saying is using local storage as a "certificate store" sorta
affair? Like a keystore for auth/authz when using an app?



On 5 December 2013 09:56, Christian Papathanasiou <
christian.papathanasiou at owasp.org> wrote:

> Hi everyone,
>
> Assuming a domain does all the right stuff regarding XSS protection (white
> listing, output encoding, CSP etc etc) could HTML 5 local storage perhaps
> be a very interesting candidate for storing session cookies and performing
> authentication/authorization?
>
> Reading between the lines the following key benefits stood out for me:
>
> Local storage token/cookie not transmitted over  the wire hence minimising
> opportunity of cookie theft from sniffing
>
> Same origin policy means that local storage cookie will be
> protected/relatively kimmune from CSRF attacks and hence no additional
> effort required to CSRF tokenize forms etc.
>
> Of course, if your site has XSS then local storage cookies can be siphoned
> off or even injected but assuming for the time being that the site is
> immune to XSS and hence the lack of http only doesn't really matter and
> everything going over SSL by default (hence secure flag doesn't really
> matter) would the above benefits hold true?
>
> Of course the user can mangle the local storage token/cookie but that
> would  in effect not really be different to doing the same with burp proxy
> etc as long as token/cookie is sufficiently random complex etc and unable
> to infer other peoples session tokens for horizontal or vertical priv esc.
>
> Am I missing something fundamental  from a security perspective here? :-)
>
> Finally are there any local storage authentication/authorization
> frameworks out there?
>
> Many thanks & kind regards,
> Christian Papathanasiou.
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Eoin Keary
OWASP Member
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131205/5b35a3ed/attachment-0001.html>


More information about the OWASP-Leaders mailing list