Leakage of sensitive data in JWT

• Rule ID: javascript_lang_jwt
• Languages: javascript
• Source: jwt.yml

Description

JWTs are not a secure place to store sensitive data. This rule looks for any sensitive data types saved to a JWT.

Remediations

❌ Avoid storing sensitive data in JWTs:

  const jwt = require('jsonwebtoken');
  const token = jwt.sign({ user: { email: 'jhon@gmail.com' }});

✅ If you need to store user's information, use their unique database identifier instead of personal identifiable information:

  const jwt = require('jsonwebtoken');
  const token = jwt.sign({ user: user.uuid });

Resources

• OWASP sensitive data exposure

Associated CWE

• CWE-312: Cleartext Storage of Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_jwt

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_jwt