logo

Information Disclosure - JWT in Browser sessionStorage

  • Risk:
  • Informational

  • Type:
  • Client Passive
Summary

JWT was stored in browser sessionStorage.

This is not unusual or necessarily unsafe - this informational alert has been raised to help you get a better understanding of what this app is doing. For more details see the Client tabs - this information was set directly in the browser and will therefore not necessarily appear in this form in any HTTP(S) messages.

Solution

Store JWTs in sessionStorage instead of localStorage so that is cleared when the page session ends.

Other info
The following JWT was set: Key: key Header: {'alg': 'HS256', 'typ': 'JWT'} Payload: {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022} Signature: d35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf Note that this alert will only be raised once for each URL + key.
References

https://www.zaproxy.org/blog/2020-09-03-zap-jwt-scanner/

Free security scan for your website