javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data

profile photo of returntocorpreturntocorp
Author
3,440
Download Count*

The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-exposed-data
    message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that
      sensitive information is not exposed through JWT token payload.
    metadata:
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.5.3 Insecue Stateless Session Tokens
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
        version: "4"
      category: security
      technology:
        - jwt
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          $JWT = require('jsonwebtoken');
          ...
      - pattern-either:
          - pattern-inside: function (...,$INPUT,...) {...}
          - pattern-inside: function $F(...,$INPUT,...) {...}
      - pattern: $JWT.sign($INPUT,...)

Examples

jwt-exposed-data.js

const jwt = require('jsonwebtoken')

User.findOne({name: req.body.name}, function(err, user){
    // ruleid: jwt-exposed-data
    var token = jwt.sign(user, key, {expiresIn: 60*60*10});
    res.json({
        success: true,
        message: 'Enjoy your token!',
        token: token
    });
});

User.findOne({name: req.body.name}, function(err, user){
    // ok: jwt-exposed-data
    const {name, email} = user
    var token = jwt.sign({name, email}, key, {expiresIn: 60*60*10});
    return token;
});

User.findOne({name: req.body.name}, function(err, user){
    // ok: jwt-exposed-data
    const {name, email} = user
    var token = jwt.sign({name, email}, key, {expiresIn: 60*60*10});
    return token;
});