Problem
If the dashboard stores the GitHub OAuth access token or personal access token in localStorage, it is accessible to any JavaScript running on the same origin, including third-party scripts, browser extensions, and any XSS payload. This allows a successful XSS attack to silently exfiltrate the token and gain full access to the user's GitHub account with the granted scopes.
Steps to Reproduce
- Authenticate with GitHub
- Open the browser console and run:
localStorage.getItem("gh_token") (or check all localStorage keys for any token-like value)
- If a token is found, confirm it is a valid GitHub token by calling
https://api.github.com/user with it as a Bearer token
Proposed Fix
- Store tokens exclusively in HTTP-only, Secure, SameSite=Strict cookies set by the server. These are invisible to JavaScript and safe from XSS exfiltration
- If client-side token storage is required, use
sessionStorage with a short expiry and rotate tokens frequently
- Audit all
localStorage.setItem() calls to confirm no sensitive values are stored there
Complexity: Level 3 | Program: GSSOC '26
Problem
If the dashboard stores the GitHub OAuth access token or personal access token in
localStorage, it is accessible to any JavaScript running on the same origin, including third-party scripts, browser extensions, and any XSS payload. This allows a successful XSS attack to silently exfiltrate the token and gain full access to the user's GitHub account with the granted scopes.Steps to Reproduce
localStorage.getItem("gh_token")(or check all localStorage keys for any token-like value)https://api.github.com/userwith it as a Bearer tokenProposed Fix
sessionStoragewith a short expiry and rotate tokens frequentlylocalStorage.setItem()calls to confirm no sensitive values are stored thereComplexity: Level 3 | Program: GSSOC '26