Security Optimization of JSON Web Token (JWT) Authentication in Laravel Framework Against Cross Site Scripting (XSS) Threats

Abstract

This research aims to optimize the security of the Laravel JWT authentication library created by tymondesign. The security improvement focuses on complying with RFC 6749 by using distinct tokens for access and refresh, and on mitigating Cross-Site Scripting (XSS) attacks by preventing stolen access tokens from being reused in an attacker’s browser. The approach to improve security is by separating the access token and refresh token in accordance with OAuth 2.0 as defined by RFC 6749, and by performing token binding on the access token through an access token verifier stored in an HttpOnly cookie. This token is used to verify that the access token being sent is valid from the same browser that issued it. The access token verifier stored in the HttpOnly cookie cannot be stolen via XSS attacks because HttpOnly cookies cannot be read by JavaScript. In this way, the access token remains secure, and even if stolen, it cannot be used because the attacker does not possess the access token verifier. The research was conducted using the Waterfall methodology with a proof-of-concept implementation and comparative testing against the original tymondesign/jwt-auth library. The results show that the proposed approach successfully mitigates the reuse of stolen access tokens in an attacker’s browser and prevents stolen access tokens from being used multiple times to refresh tokens, because the new approach uses separate access and refresh tokens stored in HttpOnly cookies. This improvement contributes to more secure JWT authentication practices in RESTful APIs and provides insight for enhancing web security against XSS attacks.