Business information leak - Token

Description

Some of the information of the user like the username/email and full name is included in the data contained in the session token.

Impact

Obtain name and emails of users.

Recommendation

Avoid to include sensitive user information in the session token.

Threat

External attacker with access to tokens.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

• Attack vector: N
• Attack complexity: H
• Privileges required: L
• User interaction: N
• Scope: U
• Confidentiality: L
• Integrity: N
• Availability: N

Temporal

• Exploit code madurity: X
• Remediation level: X
• Report confidence: X

Result

• Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
• Score:
  • Base: 3.1
  • Temporal: 3.1
• Severity:
  • Base: Low
  • Temporal: Low

Code Examples

Compliant code

The response token does not include any sensitive user information

app.post("/user/generateToken", (req, res) => {
  // Validate User Code
  let jwtSecretKey = process.env.JWT_SECRET_KEY;
  let data = {
    time: Date(),
    userId: 12,
  }
  const token = jwt.sign(data, jwtSecretKey);
  res.send(token);
});

Non compliant code

The response token includes sensitive information as plain text

app.post("/user/generateToken", (req, res) => {
  // Validate User Code
  let jwtSecretKey = process.env.JWT_SECRET_KEY;
  let data = {
    //Include confidential information in the response
    userName: req.body.user,
    password: req.body.password,
  }
  const token = jwt.sign(data, jwtSecretKey);
  res.send(token);
});

Requirements

• 176. Restrict system objects
• 177. Avoid caching and temporary files
• 261. Avoid exposing sensitive information
• 300. Mask sensitive data

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.