JSON Web Token Detected

info Web Application Scanning Plugin ID 112686

Synopsis

JSON Web Token Detected

Description

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a data structure for securely transmitting claims between parties as a JSON object. A JSON Web Token can be instantiated as a JSON Web Signature (JWS) or a JSON Web Encryption (JWE) depending on the application security considerations.

JSON Web Signature based tokens are the most commonly used in API implementations and are built with three base64 URL encoded parts separated by periods :

- JSON Object Signing and Encryption (JOSE) header : describes at least the algorithm used for signing or encryption (alg) and the type (typ) of the content being processed. For JSON Web Tokens, the type will usually be set to 'JWT'.

- Payload : JSON object containing the claims to share. Claims can be of three classes : registered (from the specification), public or private and their names must be unique inside the claims set.

- Signature : computed by using the specific algorithm in header and a secret or a private key. This ensures the integrity of the JSON Web Token.

The scanner detected the presence of a JSON Web Signature based token containing the information provided in the output.

See Also

https://jwt.io

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://blog.angular-university.io/angular-jwt/

Plugin Details

Severity: Info

ID: 112686

Type: remote

Published: 2/8/2021

Updated: 2/8/2021

Scan Template: api, scan, pci