Insufficiently Protected Credentials

Property
Languagescala
Severityhigh
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The code uses a hardcoded secret or private key for signing JWTs, storing sensitive credentials directly in the source code. This makes it easy for attackers to discover and misuse these secrets if the code is exposed.

Impact

If exploited, an attacker could forge or tamper with JWT tokens, potentially gaining unauthorized access to user accounts or protected resources. Hardcoded secrets also increase the risk of credential leaks, especially if the code is shared or stored in version control.

Insufficiently Protected Credentials

Property
Languagescala
Severityhigh
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The code uses a hardcoded secret or private key when encoding or decoding JWTs. Storing secrets directly in source code makes them easy to discover and compromises the security of your authentication tokens.

Impact

If attackers gain access to your source code, they can extract the hardcoded secret and forge or tamper with JWTs, leading to unauthorized access, privilege escalation, or data breaches. This can undermine the entire authentication and authorization system of your application.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitylow
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Sensitive information from objects is being directly included in JWT token payloads using jsonwebtoken.sign(). This can expose confidential data to anyone who receives or decodes the token.

Impact

If exploited, attackers or users with the JWT can access sensitive data such as passwords, personal details, or credentials embedded in the token. This can lead to data leaks, account compromise, or unauthorized access to protected resources.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The application uses express-jwt without configuring token revocation, meaning there is no way to invalidate JWTs if they are leaked or compromised. This allows any valid token to be reused indefinitely until it expires.

Impact

If a JWT is stolen or leaked, an attacker can continue to access protected resources using that token, even if the user is logged out or their account is disabled. This could lead to unauthorized access to sensitive data or functions, increasing the risk of account takeover or data breaches.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelLow
Likelihood LevelHigh

Description

The session middleware in your Express app is creating cookies without an explicit expiration date. This means session cookies may persist longer than intended, increasing the risk of unauthorized access if a user’s browser is left open.

Impact

Without setting an expiration date for session cookies, sessions may remain active indefinitely, allowing attackers to hijack sessions if a device is lost or left unattended. This can lead to unauthorized access to user accounts and sensitive data.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelLow
Likelihood LevelHigh

Description

The session middleware is being used without setting an ’expires’ property for cookies, which means session cookies may not expire as intended. This can leave sessions open indefinitely, increasing the risk of misuse if a user’s device is lost or compromised.

Impact

Without an explicit expiration, attackers could hijack or reuse old session cookies to access user accounts or sensitive data. This undermines session security, potentially leading to unauthorized access and data breaches if sessions remain valid longer than necessary.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelLow
Likelihood LevelHigh

Description

The session middleware is configured without setting an explicit ’expires’ attribute for cookies, which means session cookies may persist longer than intended or until the browser is closed. This can leave sensitive sessions active and increase the risk of unauthorized access.

Impact

If session cookies do not expire properly, attackers or unauthorized users could reuse old session cookies to gain access to user accounts or sensitive data. This can lead to session hijacking, prolonged exposure of user sessions, and increased risk of credential theft or misuse.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelLow
Likelihood LevelHigh

Description

The session middleware is being used without setting an explicit ’expires’ attribute for cookies, causing session cookies to persist until the browser is closed. This can make sessions last longer than intended and weaken session management.

Impact

Without a set expiration, users who forget to close their browsers may remain logged in indefinitely, increasing the risk of session hijacking if someone gains access to their device. This can lead to unauthorized account access and potential exposure of sensitive user data.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelLow
Likelihood LevelHigh

Description

Session cookies are being created without an explicit expiration date, causing them to remain valid indefinitely or until the browser is closed. This makes session management less predictable and can lead to persistent sessions beyond what is intended.

Impact

Without a set expiration, stolen or leaked session cookies can be used by attackers to access user accounts for an unlimited time, increasing the risk of unauthorized access and making it harder to limit session lifespans or enforce logout policies.

Insufficiently Protected Credentials

Property
Languagejavascript
Severitymedium
CWECWE-522: Insufficiently Protected Credentials
OWASPA02:2017 - Broken Authentication
Confidence LevelMedium
Impact LevelLow
Likelihood LevelHigh

Description

When using Express session middleware without setting the ’expires’ property on cookies, session cookies remain valid until the browser is closed, making sessions persistent longer than intended. This increases the risk that unauthorized users could access active sessions if a device is left unattended.