JSON web token
Description
General
The JSON web token detector aims at catching any JSON web token that is sensitive and not expired.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications
As defined in the RFC 7519, a JSON web token (JWT) is composed of three base64 encoded parts concatenated: a header, a payload and a signature. The payload component is the sensitive part that the detector checks: it may provide an expiration date and a pair key/value. The signature enables to verify that the content hasn't been tampered with.
The JWT detector triggers an alert if the token has not expired and is signed.
Unlike other generic detectors, the JWT detector does not require any specific validators (pre or post) except GitGuardian's default filename banlist prevalidator. In fact, since the decoded values have specific patterns, they are easy to identify.
Revoke the secret
This detector catches json web tokens, hence GitGuardian cannot infer the concerned service. To properly revoke the json web token:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the json web token.
Examples
Examples that WILL be caught
- text: >
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxODc0MDA1NDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.OGUFTnEIcYMuSOL4bfRigJbVL7k86ALyFgRadH_zRIM
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxODc0MDA1NDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.OGUFTnEIcYMuSOL4bfRigJbVL7k86ALyFgRadH_zRIM
decoded_token: {"alg":"HS256","typ":"JWT"}{"sub":"1234567890","name":"John Doe","exp":1874005422,"password":"Ij786#b4ll1"}{some_signature_value}
This example token isn't expired (20/05/2029) and is signed.
Examples that WILL NOT be caught
- Passed expiration date.
- text: >
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxMzc0MDA1NDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.n_i72bdZ3gH-Y4Sir75C7mdyvQL68Pehi0FxMLo1IpA
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxMzc0MDA1NDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.n_i72bdZ3gH-Y4Sir75C7mdyvQL68Pehi0FxMLo1IpA
decoded_token: {"alg": "HS256","typ": "JWT"}{"sub": "1234567890","name": "John Doe","iat": 1374005422}{some_signature_value}
Expiration date is passed (16/07/2013).
Details for JSON web token
-
High Recall: False
-
Validity Check: False
-
Minimum Number of Matches: 1
-
Occurrences found for one million commits: 30.18
-
Prefixed: False
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions:
- html
- css
- md
- lock
- storyboard
- xib
banlist_filenames:
- node_modules(/|\\)
- vendors?(/|\\)
- top-1000\.txt$
- \.sops$
- \.sops\.yaml$
check_binaries: false
