logo

Information Disclosure - JWT in Browser localStorage

  • Risk:
  • Medium

  • Type:
  • Client Passive
Summary

JWT was stored in browser localStorage.

This is dangerous because data stored in localStorage does not expire. .

Solution

This is an informational alert and no action is necessary.

Other info
The following JWT was set: Key: key Header: {'alg': 'HS256', 'typ': 'JWT'} Payload: {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022} Signature: d35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf Note that this alert will only be raised once for each URL + key.
References

https://www.zaproxy.org/blog/2020-09-03-zap-jwt-scanner/

Free security scan for your website