Typescript Sensitive Information In Jwt
Description
This detector identifies when sensitive information is included in JWT (JSON Web Token) payloads in TypeScript code. JWTs are typically not encrypted and can be easily decoded, so including sensitive data like passwords, API keys, or personal information in JWT payloads creates a security risk where this data could be exposed to unauthorized parties.
Detection Strategy
• The detector triggers when the jsonwebtoken library's sign method is called in TypeScript code
• It checks if the first argument (payload) to jwt.sign() contains sensitive information
• The payload is analyzed to determine if it includes unsafe data such as passwords, secrets, or other sensitive fields
• A vulnerability is reported when sensitive data is detected being passed as the JWT payload to be signed
Vulnerable code example
import * as jwt from 'jsonwebtoken';
import * as express from 'express';
const app = express();
app.use(express.json());
// VULNERABLE: password included in JWT payload - exposes sensitive data
app.post('/login', (req: express.Request, res: express.Response) => {...✅ Secure code example
import * as jwt from 'jsonwebtoken';
import * as express from 'express';
const app = express();
app.use(express.json());
// SECURE: only non-sensitive user identifier in JWT payload
app.post('/login', (req: express.Request, res: express.Response) => {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.