[Owasp-leaders] HTML5 local storage..

Christian Papathanasiou christian.papathanasiou at owasp.org
Thu Dec 5 10:16:02 UTC 2013


Hey Eoin, 

Not a certificate store, rather using it to store session id's that I would otherwise/traditionally  transmit as a cookie. 

Basically if site is immune from XSS, would HTML5 local storage be a good place to store your session cookies in. 

Reading between the lines it appears to have benefits listed below (always assuming site is XSS immune)


Sent from my iPhone

> On 5 Dec 2013, at 10:08, Eoin <eoin.keary at owasp.org> wrote:
> 
> Would a weak browser (IE6) infected with Malware be an issue here?
> Certificate stores / Keystores have passwords etc but local storage does not.
> 
> 
> 
>> On 5 December 2013 10:06, Eoin <eoin.keary at owasp.org> wrote:
>> Hi Chris,
>> What your saying is using local storage as a "certificate store" sorta affair? Like a keystore for auth/authz when using an app?
>> 
>> 
>> 
>>> On 5 December 2013 09:56, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
>>> Hi everyone,
>>> 
>>> Assuming a domain does all the right stuff regarding XSS protection (white listing, output encoding, CSP etc etc) could HTML 5 local storage perhaps be a very interesting candidate for storing session cookies and performing authentication/authorization?
>>> 
>>> Reading between the lines the following key benefits stood out for me:
>>> 
>>> Local storage token/cookie not transmitted over  the wire hence minimising opportunity of cookie theft from sniffing
>>> 
>>> Same origin policy means that local storage cookie will be protected/relatively kimmune from CSRF attacks and hence no additional effort required to CSRF tokenize forms etc.
>>> 
>>> Of course, if your site has XSS then local storage cookies can be siphoned off or even injected but assuming for the time being that the site is immune to XSS and hence the lack of http only doesn't really matter and everything going over SSL by default (hence secure flag doesn't really matter) would the above benefits hold true?
>>> 
>>> Of course the user can mangle the local storage token/cookie but that would  in effect not really be different to doing the same with burp proxy etc as long as token/cookie is sufficiently random complex etc and unable to infer other peoples session tokens for horizontal or vertical priv esc.
>>> 
>>> Am I missing something fundamental  from a security perspective here? :-)
>>> 
>>> Finally are there any local storage authentication/authorization frameworks out there?
>>> 
>>> Many thanks & kind regards,
>>> Christian Papathanasiou.
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> -- 
>> Eoin Keary
>> OWASP Member
>> https://twitter.com/EoinKeary
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Member
> https://twitter.com/EoinKeary
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131205/ecb39cb9/attachment.html>


More information about the OWASP-Leaders mailing list