Skip to content

JWT Sensitive Information Analyzer

Configuration Name: JWTSensitiveInfo

Description

The JWTSensitiveInfo analyzer checks for sensitive information in the claims of a JSON Web Token (JWT) provided by an authorization plugin.

This analyzer examines JWTs found in requests (e.g., tokens provided by an authorization plugin) and inspects the keys and values of JWT claims for sensitive information. It makes no requests but runs on every operation in the sequence walk.

Detection Criteria

The JWTSensitiveInfo analyzer identifies sensitive information using predefined rules that match key and value patterns. The following types of data are checked:

  • Email Addresses
  • Credit Card Numbers
  • Social Security Numbers (SSN)
  • Employer Identification Numbers (EIN)
  • Vehicle Identification Numbers (VIN)
  • Geolocation Data (Latitude, Longitude)

Faults Reported

The JWTSensitiveInfo analyzer reports a finding when sensitive information is detected in JWT claims.

Fault Identifier Title Summary Solution Severity
CWE-213 Sensitive Information in JWT Claims A JSON Web Token (JWT) is signed, but not encrypted. Values in the claims are visible to anyone with the JWT. Sensitive information should not be stored in the claims. Use opaque identifiers (e.g., UUID) to identify a user, and keep sensitive information stored in the server-side application. Medium

Rule Evaluation

The JWTSensitiveInfo analyzer inspects JWTs in every request. It does not modify requests or generate new ones but scans JWT claims for sensitive information.

  • If a JWT contains sensitive data in its keys or values, a finding is reported.
  • Findings are generated based on pattern-matching rules for sensitive data types such as email addresses, credit card numbers, SSNs, and geolocation data.

Remediation Steps

To mitigate the risk of exposing sensitive information in JWT claims, implement the following remediation steps:

  1. Use Opaque Identifiers

    • Replace sensitive values with opaque identifiers (e.g., UUIDs) to reference user-related data without exposing it in JWTs.
    • Store actual sensitive information securely in the server-side application instead.

  2. Minimize JWT Claims

    • Only include necessary claims in JWTs. Avoid storing personal or sensitive information in JWT claims.
    • Follow the principle of least privilege—only expose data required for authentication or authorization.

  3. Encrypt JWTs (If Necessary)

    • If sensitive data must be included in JWTs, use encrypted JWTs (JWE format) instead of plain signed JWTs (JWS).
    • Ensure only authorized parties can decrypt the JWT and access the sensitive information.

  4. Monitor and Audit JWT Usage

    • Regularly audit JWTs used in the application to ensure they do not contain sensitive information.
    • Implement logging and monitoring to detect potential data exposure in JWT claims.

  5. Follow Security Best Practices

    • Use short expiration times for JWTs to limit the exposure window if a token is compromised.
    • Implement strict access controls to ensure JWTs are only accessible to authorized entities.