0

I'm reading through openid connect document ATM and it says:

Put into a browser cookie the ID token can be used to implement lightweight stateless sessions.

IIUC we want to avoid using cookies in order to ensure avoid CSRF attacks, since the browser will send the cookie with all requests, and if the user loads an image (While logged in to notsosecurebank.com) with the URL:

href="http://notsosecurebank.com/transfer.do?acct=AttackerA&amount;=$100">Read more!

The browser will send the access token (Since it's a cookie) and this allows the attack to happen.

If the token is storage in session or local storage and only sent via REST / XHR requests, then there's no way for CSRF to happen? Did I understand this correctly?

Ole
  • 529
  • 5
  • 10

1 Answers1

1

Storing the token in the session or local storage is the solution recommended by OWASP.

However it is required but not sufficient to protect from CSRF: if an attacker is able to perform a Cross-site Scripting (XSS) attack on your site, the attacker could inject Javascript code that retrieves the token from storage and use it for undesired REST/XHR requests.

Follow the OWASP XSS Prevention Cheat Sheet recommendations too and you should be good.

Thomas Leplus
  • 26
  • 1
  • 1
    If there's an XSS vulnerability then none of the CSRF mitigations will do any good, XSS is a separate issue. This doesn't really answer the question either. – AndrolGenhald Nov 28 '17 at 14:16