Details
Alert ID 120002-2
Alert Type Client Passive
Status alpha
Risk Informational
CWE 200
WASC 13
Technologies Targeted All
Tags CWE-200
More Info Scan Rule Help

Summary

JWT was stored in browser sessionStorage. This is not unusual or necessarily unsafe - this informational alert has been raised to help you get a better understanding of what this app is doing. For more details see the Client tabs - this information was set directly in the browser and will therefore not necessarily appear in this form in any HTTP(S) messages.

Solution

Store JWTs in sessionStorage instead of localStorage so that is cleared when the page session ends.

Other Info

The following JWT was set: Key: key Header: {'alg': 'HS256', 'typ': 'JWT'} Payload: {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022} Signature: d35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf Note that this alert will only be raised once for each URL + key.

References

Code

org/zaproxy/addon/client/pscan/JwtInStorageScanRule.java