Scala Jwt Sensitive Information Exposure
Description
Detects potential exposure of sensitive information in JWT tokens when using common JWT libraries in Scala applications. This vulnerability occurs when sensitive data is embedded within JWT claims, which could lead to information disclosure since JWT tokens are typically visible to clients and can be decoded easily.
Detection Strategy
• Check if any common JWT libraries are imported (pdi.jwt, com.auth0.jwt, or io.jsonwebtoken)
• Look for JWT token creation using Jwt.encode() method calls
• Examine the claims/payload passed to the encode method for sensitive information
• Report a vulnerability if the JWT payload contains sensitive data like passwords, keys, or credentials
Vulnerable code example
import pdi.jwt.{Jwt, JwtAlgorithm, JwtClaim}
import play.api.mvc._
import play.api.libs.json.Json
object JWTHandler extends Controller {
val secretKey = "secretKey123"
def createToken(request: Request[AnyContent]): String = {...✅ Secure code example
import pdi.jwt.{Jwt, JwtAlgorithm, JwtClaim}
import play.api.mvc._
import play.api.libs.json.Json
import java.time.Clock
object JWTHandler extends Controller {
private val secretKey = System.getenv("JWT_SECRET_KEY") // Store secret in environment variable
implicit val clock: Clock = Clock.systemUTC...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.