🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

JWT Insufficient Session Expiration

A JWT token must expire after a period of time. Otherwise an adversary has higher chance of reusing an old token and get an unauthorised access. Furthermore care should be taken in setting the expiry for a refresh token. An adversary can exploit a refresh token to get persistence access.

Remediation

  • Implement an expiry time for the token. The shorter is the expiry, the lower is the likelihood of token abuse.
  • Ensure refresh token is not refreshed automatically. Only after a full authentication (e.g. using username, password and MFA) a new refresh token should be issues.

Metadata

  • Severity: high
  • Slug: jwt-insufficient-session-expiration

CWEs

  • 613: Insufficient Session Expiration

OWASP

  • A01:2021: Broken Access Control
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.