Insufficiently protected credentials
Description
The application is storing a password in the JWT token payload. Storing passwords in JWT token payloads is an insecure practice that can lead to compromised credentials. The password transmitted in the JWT payload is not encrypted and therefore visible to anyone who intercepts the token.
Examples
Insecure Code
javascript
const token = jwt.sign({ password: 'mysecretpassword' }, secretKey, { algorithm: 'HS256' });Secure Code
javascript
const payload = { user_id: 123, username: 'john_doe' }; const token = jwt.sign(payload, secretKey, { algorithm: 'HS256' });Remediation
Avoid storing sensitive information like passwords in JWTs. Instead, reference user identifiers that map to credentials stored securely on the server.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0403 |
| Category | Auth |
| Severity | HIGH |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | jwt, password, credentials |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |