Back to list

Sending JWT in URL Parameters

Description

Sending JWTs in URL parameters poses a security risk due to potential exposure in browser history, server logs, and referer headers. Attackers could intercept or access these URLs, compromising user authentication and sensitive data. It's recommended to use HTTP headers or secure cookies for JWT transmission to mitigate this vulnerability.

Remediation

Avoid passing JWTs in URL query parameters. Instead, store and transmit tokens in secure cookies (with HttpOnly and Secure flags) or include them in HTTP authorization headers. This reduces the risk of token leakage via server logs, browser history, and referer headers. Additionally, implement short-lived tokens, practice regular token revocation when feasible, and enforce strict HTTPS usage to protect tokens in transit. Conduct periodic reviews of application logs and user session flows to ensure no tokens are inadvertently exposed.

References

https://owasp.org/www-community/attacks/Session_fixationhttps://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html

Severity

MEDIUM

Owasp

Code: A07:2021

Category: Identification and Authentication Failures

Classification

CWE-384
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

5.4

CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

5.4