Leakage of sensitive data in JWT

• Rule ID: php_lang_jwt
• Languages: php
• Source: jwt.yml

Description

Storing sensitive data in JWTs exposes it to potential security risks. JWTs are designed for transmitting data securely, not for storing confidential information. Guard against including sensitive data in a JWT payload.

Remediations

• Do not include sensitive data such as email addresses or personal identifiable information in JWT payloads. This can lead to unauthorized access to sensitive information.

  $payload = [
    'data' => 'data',
    'email' => $user->email
  ];
  $jwt = JWT::encode($payload, $key, 'HS256'); // unsafe

• Do use non-sensitive, unique identifiers like a user's UUID in JWT payloads. This approach minimizes the risk of sensitive data exposure while still allowing user identification.

  $payload = [
    'data' => 'data',
    'uuid' => $user->uuid
  ];
  $jwt = JWT::encode($payload, $key, 'HS256');

Associated CWE

• CWE-315: Cleartext Storage of Sensitive Information in a Cookie

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_jwt

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_jwt