|
Details
|
|
Alert ID
|
120002-1 |
|
Alert Type
|
Client Passive |
|
Status
|
alpha |
|
Risk
|
Medium |
|
CWE
|
200
|
|
WASC
|
13 |
|
Technologies Targeted
|
All
|
|
Tags
|
CWE-200
|
|
More Info
|
Scan Rule Help
|
Summary
JWT was stored in browser localStorage.
This is dangerous because data stored in localStorage does not expire. .
Solution
This is an informational alert and no action is necessary.
Other Info
The following JWT was set: Key: key Header: {'alg': 'HS256', 'typ': 'JWT'} Payload: {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022} Signature: d35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf Note that this alert will only be raised once for each URL + key.
References
Code
org/zaproxy/addon/client/pscan/JwtInStorageScanRule.java