ZAP – Information Disclosure - JWT in Browser sessionStorage

Details
Alert ID	120002-2
Alert Type	Client Passive
Status	alpha
Risk	Informational
CWE	200
WASC	13
Technologies Targeted	All
Tags	CWE-200
More Info	Scan Rule Help

Summary

JWT was stored in browser sessionStorage. This is not unusual or necessarily unsafe - this informational alert has been raised to help you get a better understanding of what this app is doing. For more details see the Client tabs - this information was set directly in the browser and will therefore not necessarily appear in this form in any HTTP(S) messages.

Solution

Store JWTs in sessionStorage instead of localStorage so that is cleared when the page session ends.

Other Info

The following JWT was set: Key: key Header: {'alg': 'HS256', 'typ': 'JWT'} Payload: {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022} Signature: d35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf Note that this alert will only be raised once for each URL + key.

References

https://www.zaproxy.org/blog/2020-09-03-zap-jwt-scanner/

Code

org/zaproxy/addon/client/pscan/JwtInStorageScanRule.java