Python Sensitive Data In Payload
Description
Detects when sensitive information like passwords, tokens, or private keys are encoded into JWT (JSON Web Token) payloads. Storing sensitive data in JWT tokens is dangerous since tokens can be intercepted and their payloads can be decoded, potentially exposing confidential information to attackers.
Detection Strategy
• Check if the JWT library is imported in the Python code
• Look for calls to JWT encode functions (e.g. jwt.encode())
• Examine the payload data being passed to the encode function
• Report a vulnerability if sensitive data like passwords, private keys, or tokens are found in the JWT payload
Vulnerable code example
import jwt
from flask import Flask, request
app = Flask(__name__)
SECRET = "supersecret" # Hardcoded for example, use env vars in practice
@app.post("/jwt")
def create_token():...✅ Secure code example
import os
import jwt
from flask import Flask, request, jsonify
app = Flask(__name__)
SECRET = os.environ.get("JWT_SECRET_KEY") # Get secret from environment variable
ALLOWED_FIELDS = {"username", "email", "role"} # Whitelist of allowed fields
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.