I was just reading through the "Token sidejacking" of the JWT Cheat Sheet of OWASP (https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking)
At the moment I don't understand how the recommended prevention actually solves the issue.
The solution is to add a context and send this context (e.g. a random value) as a Cookie as well as part of the JWT (then hashed).
However if an attacker is able to steal the JWT by performing a XSS attack and access the sessionStorage, the attacker can also send XHR-requests, so the Cookie is automatically send with it. If the attacker is able to sniff the network traffic, the attacker also has the Cookie value. The only case I can think of where this works is, if the attacker has access to some sort of logs, where the JWT is stored, but this would be another vulnerability (or more).
What did I miss? Thanks