0

I am reading some articles about security in React applications. Indeed, I use localstorage to store the user's infos and I've seen that an xss attack could easily allow a hacker to steal them.

However, I understand that in React, an xss attack can only be performed through a setDangerouslyInnerHtml tag that displays a content written in an input. This way, you can steal his infos, cookies session, ect. and send them to your website.

But a hacker could only do this if he has the chance to write his script on the user's computer right? So, if I don't use any setDangerouslyInnerHtml tag, is the localstorage safe in a React app? If not, how a hacker could run such an attack on the website?

DoneDeal0
  • 5,273
  • 13
  • 55
  • 114

2 Answers2

1
  1. If the user uses a public computer it might be possible.
  2. If you have some functionality which allows external users to post content on your site, for example comments or reactions then someone might write a script which sends localstorage data to a hacker.

There are a lot of ways to exploit this, check owasp for more detailed explanation.

https://owasp.org/www-project-top-ten/

Selmir Aljic
  • 268
  • 2
  • 9
1

Developers must accept what attackers can do:

  • They can retheme an entire site,
  • They can too make "bot" scripts to automate tasks and in other words flood your server if that was the task.
  • All limits defined in JS/HTML can and will be bypassed, (e.g: character lengths in forms/etc)
  • The entire page can be re-written to not talk to your server-right, in other words crashing it and more if not handled/detected.
  • The list goes on but accept it's pretty much all off the table if someone wants to pry hard enough.

There's not a whole lot you can do to prevent this, to explain! You can add an external script from randomxyxsite.com and though trusted could under-go an attack where that script now runs "loggers or some type of analytic grabbing bot", this in my opinion is easily avoided by not adding external scripts if you can.

Though I said what I said originally, here's where you're stuck... Any user can open console/build extensions or use a third-party loader like Tampermonkey and other alternatives and execute script at their will. This too can become "shared" and comparable to botnet behavior.

So what can you do to stop clients from mis-behaving or "super-modding" their content for malicious server-use?

Some ways to safe-guard:

  • Server-sided requests should pass through some form of check/sanitization to ensure that whatever any of the clients pass-to it is absolutely safe to absorb.
  • Never let the user tell you who they beyond login, define these users by sessionid; know these users by their session and when user<>user, get between them and follow the above point.
  • Keep as much as possible private. Public variables/classes/functions are easily re-written during run-time leaving some features you maybe intended on to fall apart.

window.PayFeature = function(){};

ALLOW XSS:

If feared, a developer should study it more. As much as a user can distort/change their end it's only an issue if the traffic changes or the data received from them starts becoming attack like. So for a developer your best bet is to actually rate-limit, set rules and more for users so that abuse is detected and stopped. As long as you do that, you should never fear it but welcome it, when server is secured it becomes a matter of spam (potential botnet)

BGPHiJACK
  • 1,277
  • 1
  • 8
  • 16
  • Great answer, thanks! – DoneDeal0 Jan 04 '21 at 15:56
  • XSS is an expertise of mine, there's lots to touch on but for a developer wanting to focus app-design this should suffice and give you the right idea. So next-time you ask yourself, should it go in local-storage or not, answer is probably no unless it pertains to settings made in client. So if the site has a dark-mode; you could store selection there for safe-keeps easy load on server. Have fun! – BGPHiJACK Jan 04 '21 at 16:45