Skip to main content

Business information leak - Token

Description

Some of the information of the user like the username/email and full name is included in the data contained in the session token.

Impact

Obtain name and emails of users.

Recommendation

Avoid to include sensitive user information in the session token.

Threat

External attacker with access to tokens.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 3.1
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The response token does not include any sensitive user information

app.post("/user/generateToken", (req, res) => {
// Validate User Code
let jwtSecretKey = process.env.JWT_SECRET_KEY;
let data = {
time: Date(),
userId: 12,
}
const token = jwt.sign(data, jwtSecretKey);
res.send(token);
});

Non compliant code

The response token includes sensitive information as plain text

app.post("/user/generateToken", (req, res) => {
// Validate User Code
let jwtSecretKey = process.env.JWT_SECRET_KEY;
let data = {
//Include confidential information in the response
userName: req.body.user,
password: req.body.password,
}
const token = jwt.sign(data, jwtSecretKey);
res.send(token);
});

Requirements