Data Exposure in Fiber with Jwt Tokens
Data Exposure in Fiber with Jwt Tokens — how this specific combination creates or exposes the vulnerability
The Data Exposure check in middleBrick examines whether sensitive information such as JSON Web Tokens (JWTs) is unintentionally returned to unauthenticated or low-privilege callers. When scanning a Fiber endpoint that issues or reflects JWTs, the scanner inspects HTTP responses for tokens in headers, cookies, or JSON bodies. If an endpoint returns a JWT without proper authorization checks, the token can be captured by an attacker and used to impersonate users or escalate privileges.
In Fiber, route handlers often set JWTs in cookies or as Authorization bearer tokens. A common misconfiguration is returning the token in a response body or header even when the request lacks valid credentials or when the route should be public but inadvertently exposes privileged claims. For example, an endpoint that merges user-controlled input into a JWT and echoes it back can enable token leakage via response caching, client-side logs, or browser history. Because JWTs frequently contain identity or role claims, exposure can lead to horizontal or vertical privilege escalation, aligning with BOLA/IDOR and BFLA findings that middleBrick reports alongside Data Exposure.
Additionally, if TLS is not enforced or mixed content is allowed, tokens can be exposed in transit. middleBrick’s Encryption check complements Data Exposure by verifying that endpoints serving JWTs require secure transport. The scanner also flags verbose error messages that may include stack traces with token references, which can aid attackers in crafting token-related exploits. Because JWTs are bearer tokens, any exposure effectively compromises the security boundary that the token is meant to enforce.
Jwt Tokens-Specific Remediation in Fiber — concrete code fixes
To remediate Data Exposure involving JWTs in Fiber, ensure tokens are never returned in responses unless the request is properly authenticated and authorized. Use middleware to validate credentials before constructing or reflecting tokens, and avoid including sensitive claims in responses that clients can trigger directly.
Example of an insecure Fiber handler that echoes a token in the response body, risking Data Exposure:
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/golang-jwt/jwt/v5"
)
func unsafeTokenHandler(c *fiber.Ctx) error {
// Insecure: generates a token and returns it in the response body
claims := jwt.MapClaims{"user_id": 123, "role": "user"}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, _ := token.SignedString([]byte("secret"))
return c.JSON(fiber.Map{"token": tokenString})
}
This pattern can lead to Data Exposure because any caller can trigger the endpoint and obtain a valid token. A secure approach is to issue tokens only after verifying credentials and to return the token in an HttpOnly, Secure cookie rather than in the response body. Also, avoid returning tokens in JSON when they are not needed by the client.
Secure Fiber handler with token in Secure, HttpOnly cookie and no token in response body:
package main
import (
"net/http"
"github.com/gofiber/fiber/v2"
"github.com/golang-jwt/jwt/v5"
)
func secureTokenHandler(c *fiber.Ctx) error {
// Verify credentials first (example placeholder)
if !isValid(c) {
return c.Status(fiber.StatusUnauthorized).SendString("Unauthorized")
}
claims := jwt.MapClaims{"user_id": 123, "role": "user", jwt.ExpiresAtClaim: jwt.NewNumericDate(/* expiry */)}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte("secret"))
if err != nil {
return c.Status(fiber.StatusInternalServerError).SendString("Error generating token")
}
cookie := new(http.Cookie)
cookie.Name = "token"
cookie.Value = tokenString
cookie.HttpOnly = true
cookie.Secure = true
cookie.SameSite = http.SameSiteStrictMode
c.Cookie(cookie)
// Do not include token in response body
return c.JSON(fiber.Map{"message": "Authenticated"})
}
func isValid(c *fiber.Ctx) bool {
// Implement actual credential validation here
return true
}
Additionally, apply global middleware to enforce Secure cookies and HTTPS, and use the Authorization header only when the client can safely handle bearer tokens. Configure token expiration and revocation to reduce the impact of any accidental exposure. middleBrick’s scans will highlight endpoints where JWTs appear in responses without corresponding authentication checks, enabling you to align with Data Exposure guidance and reduce risks tied to BOLA/IDOR and privilege escalation.
FAQ
- Does middleBrick test for JWT exposure in both request and response contexts? Yes. The scanner checks responses for unintended token disclosure and inspects whether authentication checks are consistently enforced across endpoints that issue or consume JWTs.
- Can the scans map Data Exposure findings to compliance frameworks such as OWASP API Top 10 and GDPR? Yes. Findings include mappings to relevant standards, helping you prioritize remediation based on regulatory and risk contexts.
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |