Config Files Hardcoded Secrets In Configs
Description
Detects hardcoded JWT tokens within configuration files. Having JWT tokens embedded in configuration files poses a security risk as these tokens could be exposed to unauthorized users and potentially used to gain unauthorized access to protected resources.
Detection Strategy
• Search through configuration files line by line
• Look for strings matching JWT token format (base64 encoded strings separated by periods)
• Validate each potential match to confirm it follows JWT structure
• Report vulnerability if valid JWT tokens are found hardcoded in the file
• Only process lines less than 1000 characters to avoid false positives on large encoded data
Vulnerable code example
<?xml version="1.0" encoding="UTF-8"?>
<con:soapui-project id="example-project" name="API Test">
<con:settings>
<con:setting id="auth-config">
<![CDATA[<xml-fragment>
<!-- Vulnerable: Hardcoded JWT bearer token exposed in plaintext -->
<con:entry key="Authorization" value="Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U"/>
</xml-fragment>]]>...✅ Secure code example
<?xml version="1.0" encoding="UTF-8"?>
<con:soapui-project id="example-project" name="API Test">
<con:settings>
<con:setting id="auth-config">
<![CDATA[<xml-fragment>
<!-- Secure: Using environment variable for JWT token instead of hardcoding -->
<con:entry key="Authorization" value="Bearer ${#Env#AUTH_TOKEN}"/>
</xml-fragment>]]>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.