ajinabraham.njsscan.jwt.jwt_exposed_credentials.jwt_exposed_credentials
ajinabraham
Author
unknown
Download Count*
License
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
Run Locally
Run in CI
Defintion
rules:
- id: jwt_exposed_credentials
patterns:
- pattern-either:
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign({password:...},...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {password:...};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {password:...};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {password:...};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {password:...};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.password = ...;
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.password = ...;
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{password:...},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{password:...},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{password:...},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{password:...},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $T = JWT.sign(Object.assign(...,{password:...},...),...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign(Object.assign(...,{password:...},...),...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $T = JWT.sign({$U:{password:...}},...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign({$U:{password:...}},...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {$U:{password:...}};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {$U:{password:...}};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {$U:{password:...}};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {$U:{password:...}};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.$U.password = ...;
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.$U.password = ...;
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{$U:{password:...}},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{$U:{password:...}},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{$U:{password:...}},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{$U:{password:...}},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $T = JWT.sign(Object.assign(...,{$U:{password:...}},...),...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign(Object.assign(...,{$U:{password:...}},...),...)
severity: ERROR
languages:
- javascript
metadata:
cwe: cwe-522
owasp-web: a2
license: LGPL-3.0-or-later
vulnerability_class:
- Other
message: Password is exposed through JWT token payload. This is not encrypted
and the password could be compromised. Do not store passwords in JWT
tokens.
Short Link: https://sg.run/ZZJo