Leakage of sensitive data in JWT

• Rule ID: javascript_lang_jwt
• Languages: javascript
• Source: jwt.yml

Description

Storing sensitive data in JWTs exposes it to potential security risks. JWTs are designed for transmitting data securely among parties but are not inherently secure storage for sensitive information.

Remediations

• Do not include sensitive data, such as email addresses, in JWTs. This can lead to unauthorized access to personal information.

  const jwt = require('jsonwebtoken');
  const token = jwt.sign({ user: { email: 'john@gmail.com' }}); // unsafe

• Do use non-sensitive, unique identifiers like a user's UUID in JWTs to reference user information securely.

  const jwt = require('jsonwebtoken');
  const token = jwt.sign({ user: user.uuid });

References

• OWASP sensitive data exposure

Associated CWE

• CWE-312: Cleartext Storage of Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_jwt

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_jwt