Leakage of sensitive data in JWT

• Rule ID: ruby_lang_jwt
• Languages: ruby
• Source: jwt.yml

Description

Storing sensitive data in JWTs exposes it to potential security risks. JWTs are designed for transmitting data securely, not for storing confidential information. Guard against including sensitive data in a JWT payload.

Remediations

• Do not include sensitive data, such as email addresses or personal information, in JWT payloads. This practice can lead to unauthorized access to sensitive information.

  payload = { data: 'data', email: user.email } # unsafe
  token = JWT.encode payload, hmac_secret, 'HS256'

• Do use non-sensitive, unique identifiers, like a user's database UUID, in JWT payloads. This approach minimizes the risk of sensitive data exposure.

  payload = { data: 'data', user_id: user.uuid }
  token = JWT.encode payload, hmac_secret, 'HS256'

Associated CWE

• CWE-315: Cleartext Storage of Sensitive Information in a Cookie

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_jwt

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_jwt