generic.secrets.security.detected-jwt-token.detected-jwt-token
semgrep
Author
163
Download Count*
License
JWT token detected
Run Locally
Run in CI
Defintion
rules:
- id: detected-jwt-token
pattern-regex: eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}\.?[A-Za-z0-9-_.+/=]*?
languages:
- regex
message: JWT token detected
severity: ERROR
metadata:
source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py
category: security
technology:
- secrets
- jwt
confidence: LOW
references:
- https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
cwe:
- "CWE-321: Use of Hard-coded Cryptographic Key"
owasp:
- A02:2021 - Cryptographic Failures
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
detected-jwt-token.txt
# 0) valid jwt
# ruleid: detected-jwt-token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# 1) valid jwt - but header contains CR/LF-s
# ruleid: detected-jwt-token
eyJ0eXAiOiJKV1QiLA0KImFsZyI6IkhTMjU2In0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
# 2) valid jwt - but claims contain bunch of LF newlines
# ruleid: detected-jwt-token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiSm9lIiwKInN0YXR1cyI6ImVtcGxveWVlIgp9
# 3) valid jwt - claims contain strings with unicode accents
# ruleid: detected-jwt-token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IsWww6HFkcOtIMOWxZHDqcOoIiwiaWF0IjoxNTE2MjM5MDIyfQ.k5HibI_uLn_RTuPcaCNkaVaQH2y5q6GvJg8GPpGMRwQ
# 4) no signature - but still valid
# ruleid: detected-jwt-token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
# 5) Not a JWT token, but was matching against an earlier rule
# ok: detected-jwt-token
foreignKeyJsonObject.get(
Short Link: https://sg.run/05N5