Hacker News new | ask | show | jobs
by omgitstom 3675 days ago
As a developer, I feel like I have more control over mitigating CSRF then XSS.

But where I have more issues is that OWASP clearly advises not to use web storage for identities:

+ A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage. + A single Cross Site Scripting can be used to load malicious data into these objects too, so don't consider objects in these to be trusted. + Pay extra attention to “localStorage.getItem” and “setItem” calls implemented in HTML5 page. It helps in detecting when developers build solutions that put sensitive information in local storage, which is a bad practice. + Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
3 comments
albinowax_ 3675 days ago
This page is one of the ones that persuaded me to write that blog post - I've read it and don't think it's accurate. In spite of the OWASP brand name it's just a wiki - I could edit it myself. If my own post is persuasive and technically sound then that page may be updated in due course.
link
raesene9 3675 days ago
This is an important point and one that's often overlooked with OWASP content. Being on the wiki doesn't necessarily constitute well reviewed up to date advice (indeed there's a lot of outdated content there)

That said as it is a wiki anyone is free to create an account and improve it :)

link
omgitstom 3675 days ago
What has happened with web storage since 2015-09-09 that makes their recommendations out of date?
link
CiPHPerCoder 3675 days ago
> As a developer, I feel like I have more control over mitigating CSRF then XSS.

Your feeling is correct. Let me put it this way:

You mitigate SQL injection effectively by making sure no data (user input) can affect the code (SQL query). i.e. Prepared statements.

There is no analogous equivalent for defeating XSS. You have to escape output.

https://paragonie.com/blog/2015/06/preventing-xss-vulnerabil...

Escaping input for SQL injection "works", but has failed pretty hard in the past:

http://stackoverflow.com/a/12118602/2224584

(Character encoding, for the lose.)

By comparison, CSRF is trivial. You use a token that only the client should know, and implement a trivial challenge/response authentication layer onto your HTTP POST APIs, make sure you're using TLS, and call it a day.

link
nemothekid 3675 days ago
The blog post tackles this. As I understand it, if the attacker can run `localStorage.getItem` on your webpage, you are already screwed. They will just craft an AJAX request, which will have the `httpOnly` cookies tagged on, and send that data back to the attacker's servers.

`httpOnly` doesn't protect you from anything if you are using those same cookies in AJAX requests.

link