JWT token in URL parameter #1261
Comments
|
we are still using https tho, I agree that sending a token in a header is a better practice. will keep you updated |
@simonmcl could you maybe share more context how the token could leak according to auditors? |
|
@llbartekll here is the full content of the ticket: Description: OWASP ASVS 3.1.1 Verify the application never reveals session tokens in URL parameters. CL MSS 1.9 No sensitive data, inluding PII, is shared with third-parties unless it is required for app's architecture. Affected Hosts: Impact: Security Exposure: By including sensitive tokens in URLs, they become visible in web server logs, browser history, and potentially shared or cached links. This makes them vulnerable to unauthorized access and abuse. Data Leakage: If these tokens are mishandled, they can be exposed to third-party websites, search engines, or other intermediaries. This can lead to data leakage and compromise of sensitive user data or API access. Session Hijacking: Session tokens, when exposed in URLs, become an easier target for session hijacking attacks. Attackers can easily access and manipulate these tokens, taking control of a user's session or impersonating them. |
Is your feature request related to a problem? Please describe.
The app i'm working on at the minute is undergoing a security audit. The auditors noticed a GET request adding a JWT token to the query string of a URL and flagged it as an issue for us to fix. The request is coming from the WC2 SDK. Can you take a look and make sure the token is not being leaked
The text was updated successfully, but these errors were encountered: