C Sharp Jwt Sensitive Information Exposure
Description
Detects when sensitive information may be exposed through insecure JWT token generation in C# applications. This vulnerability occurs when sensitive claims or data are included in JWT tokens without proper protection, potentially exposing confidential information to client-side code.
Detection Strategy
• Verifies that both System.Security.Claims and System.IdentityModel.Tokens.Jwt libraries are imported in the code
• Identifies calls to WriteToken() method that create JWT tokens
• Checks if the JWT security token passed to WriteToken() is created with potentially unsafe configurations or contains sensitive data
• Reports a vulnerability when WriteToken() is called with an unsafe JWT security token configuration
Vulnerable code example
using System.Security.Claims;
using System.IdentityModel.Tokens.Jwt;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Http;
using System.Text;
public class JwtHandler
{...✅ Secure code example
using System.Security.Claims;
using System.IdentityModel.Tokens.Jwt;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Http;
using System.Text;
public class JwtHandler
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.