Stealing a session token is often easier than stealing a password, and just as effective. A valid session token grants an attacker full access to the victim’s account without needing their credentials or bypassing multi-factor authentication. The session has already been authenticated. The attacker simply steps into it.

As applications move towards token-based authentication using JWTs and OAuth, the attack surface for token theft has expanded. Understanding how these tokens can be stolen and misused is essential for building secure web applications.

How Tokens Get Stolen

Cross-site scripting vulnerabilities allow attackers to execute JavaScript in the context of your application. If your session token is accessible to JavaScript, whether stored in localStorage, sessionStorage, or a cookie without the HttpOnly flag, XSS gives the attacker everything they need to steal it.

Man-in-the-middle attacks intercept tokens transmitted without TLS or without the Secure cookie flag. Network sniffing on shared WiFi networks or compromised routers captures tokens in transit.

William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Session token security is one of the first things we evaluate during web application assessments. We regularly find tokens transmitted without the Secure flag, stored in localStorage where JavaScript can access them, and issued without expiration. Each of these weaknesses gives an attacker a straightforward path to account takeover.”

JWT-Specific Risks

JSON Web Tokens introduce their own set of vulnerabilities. JWTs that never expire give attackers indefinite access from a single stolen token. Tokens signed with weak algorithms or predictable secrets can be forged. And the common practice of storing sensitive data in the JWT payload exposes that data to anyone who can decode the base64-encoded token.

Server-side validation failures compound these risks. If your application doesn’t verify the signature properly, doesn’t check the expiration, or doesn’t validate the issuer, the authentication mechanism provides a false sense of security.

Protecting Your Tokens

Store session tokens in HttpOnly cookies with the Secure and SameSite flags. These three attributes prevent JavaScript access, enforce HTTPS-only transmission, and reduce cross-site request forgery risk respectively.

For JWTs, use strong signing algorithms, set reasonable expiration times, and implement token rotation for long-lived sessions. Maintain a server-side token revocation capability so you can invalidate compromised tokens immediately.

Regular web application penetration testing tests your token handling against real-world attack techniques. Testers attempt to steal, forge, and replay tokens to identify weaknesses in your implementation.

Incident Detection and Response

Monitor for concurrent sessions from different locations, which can indicate token theft. Implement device fingerprinting to detect when a session token is used from an unfamiliar environment. And provide users with active session management so they can see and revoke their own sessions.

If you’re unsure how your application handles session security, getting a penetration test quote for a focused web application assessment will identify the specific risks in your implementation.