JWT Sensitive Data Disclosure
Description
JWT Sensitive Data Disclosure vulnerability occurs when sensitive information like user credentials is stored in a JWT without proper encryption. Attackers can access this data if they intercept the token. To mitigate, avoid storing sensitive data in JWTs, encrypt sensitive data before embedding, use HTTPS for secure transmission, limit token expiry times, implement access controls, and conduct regular security audits.
Remediation
Remove or avoid storing sensitive information (e.g., passwords, personal data) in the JWT payload. If storing non-critical data is necessary, consider encrypting or hashing sensitive fields before embedding them in a token. Always transmit JWTs over HTTPS to prevent interception, and enforce short-lived expiry times combined with strict reissuance policies. Implement robust access controls on all endpoints, and regularly audit logs to detect anomalies or unauthorized token usage. Maintain up-to-date libraries for token generation and parsing, and follow best practices for cryptographic key management to minimize the risk of exposure.
References
https://owasp.org/www-community/attacks/JSON_Web_Token_(JWT)_Security_Cheat_Sheethttps://auth0.com/docs/secure/tokens/json-web-tokenshttps://owasp.org/www-community/attacks/Information_exposureSeverity
LOWOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
3.1
3.1