ajinabraham.njsscan.jwt_exposed_credentials.jwt_exposed_credentials
ajinabrahamAuthor
1,129
Download Count*
License
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
Run Locally
Run in CI
Defintion
rules:
- id: jwt_exposed_credentials
patterns:
- pattern-either:
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign({password:...},...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {password:...};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {password:...};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {password:...};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {password:...};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.password = ...;
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.password = ...;
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{password:...},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{password:...},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{password:...},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{password:...},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $T = JWT.sign(Object.assign(...,{password:...},...),...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign(Object.assign(...,{password:...},...),...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $T = JWT.sign({$U:{password:...}},...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign({$U:{password:...}},...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {$U:{password:...}};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = {$U:{password:...}};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {$U:{password:...}};
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = {$U:{password:...}};
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.$U.password = ...;
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P.$U.password = ...;
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{$U:{password:...}},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $P = Object.assign(...,{$U:{password:...}},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{$U:{password:...}},...)
...
var $T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$P = Object.assign(...,{$U:{password:...}},...)
...
$T = JWT.sign($P,...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
var $T = JWT.sign(Object.assign(...,{$U:{password:...}},...),...)
- pattern: |
$JOSE = require("jose")
...
var { JWT } = $JOSE;
...
$T = JWT.sign(Object.assign(...,{$U:{password:...}},...),...)
severity: ERROR
languages:
- javascript
metadata:
cwe: cwe-522
owasp-web: a2
license: LGPL-3.0-or-later
message: Password is exposed through JWT token payload. This is not encrypted
and the password could be compromised. Do not store passwords in JWT
tokens.
Short Link: https://sg.run/RojY