Is JWT in cookies with any CSRF solution just as vulnerable to XSS as JWT in localStorage?

Question

I've read that JWT tokens shouldn't be stored in localStroage because XSS attacks can read them. The proposed solution is to store JWT tokens in HTTPOnly cookies and use anti-CSRF w/ double-submit cookies. OWASP says all CSRF solutions are vulnerable to XSS. If that's the case, then is JWT in HTTPOnly cookies with CSRF just as vulnerable to XSS? If so, why even bother w/ CSRF and just store your JWT in localStorage?

Answer 1

I've read that JWT tokens shouldn't be stored in localStroage because XSS attacks can read them.

True. If you store information in your JWT and don't want an attacker to read it via XSS, storing them in a httpOnly cookie is a good idea.

The proposed solution is to store JWT tokens in HTTPOnly cookies and use CSRF w/ double-submit cookies.

I think you are confusing two things here. Storing the tokens in a httpOnly cookie is already the solution to them not being read.

CSRF is a different matter, and it cannot be used to read out data. It can however be used to perform actions on a website for a user that that user did not intent. One solution to this is the double submit cookies pattern.

OWASP says all CSRF solutions are vulnerable to XSS.

Yes, pretty much.

If that's the case, then is JWT in HTTPOnly cookies with CSRF just as vulnerable to XSS?

The thing is that you cannot use an anti-CSRF token that is stored in a httpOnly cookie with the double submit cookies pattern.

You need client-side access to the token, as it would otherwise not be possible to insert the token into the form.

So to make this work, you would need to make your cookie not httpOnly or store the token somewhere else in addition to the cookie, eg in the local storage.

Either way, an attacker can bypass your CSRF protection once they gained XSS.

If so, why even bother w/ CSRF and just store your JWT in localStorage?

You should store your JWT in a httpOnly cookie if you want to hide it's content from an attacker even if there is an XSS vulnerability. If you don't care, or if you need to access the information yourself, localStorage works just as well.