Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Highest
Fix Version/s: 3.6.1
Affects Version/s: 3.4.0
Labels:
- VAPT
- WASA

Sprint:
AMRIT Sprint 48, AMRIT Sprint 49, AMRIT Sprint 50, AMRIT Sprint 51, AMRIT Sprint 52, AMRIT Sprint 53, Sprint 54
Epic Link:
WASA Changes for Mobile & Web App
Service line:
Platform
Environment:
UAT

The application issues JSON Web Tokens (JWTs) that do not expire correctly or have an excessively long expiration time. This can allow an attacker to reuse stolen or leaked tokens for unauthorized access long after they should have expired.

Vulnerability Name	Vulnerable Point, Port or Parameter	CVE/CWE	CVSS Score	Overall Risk (Severity)	Mapping with OWASP Testing Checklist	Observation / Description	Impact	Recommendation	Reference	Steps to reproduce
Improper JWT Expiration	https://uatamrit.piramalswasthya.org/common-api/cti/getloginkey	CWE-613	5.3	Medium	OWASP Session Management Testing	This means that if an attacker compromises a JWT token—for example via XSS, interception, or leakage—they can reuse it for over 8 hours without interruption. If the user forgets to log out or the token is stolen by malware or a network attacker, the attacker gets persistent access to user data and actions for an extended period, increasing the risk of session hijacking, unauthorized activity, and privilege misuse.	JWT tokens valid for 8+ hours severely increase the attack window for replay attacks, session hijacking, and data breaches. Automated credential and token theft tools can exploit long-validity tokens to maintain unauthorized access throughout a work shift or overnight, bypassing reauthentication controls.	Reduce access token lifetimes to 15–30 minutes for critical APIs; use refresh token flow for seamless user experience. Enforce automatic token renewal, idle timeouts, and mandatory logout after risk events (e.g., IP change, privilege escalation).	https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens	Step 1: During the security assessment, a random API request was captured and its JWT token was analyzed using JWT tool extensions in Burp Suite. It was found that the token’s expiration (exp) time was set for longer than 8 hours.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2025-12-05-11-13-03-710.png
48 kB
05/Dec/25 11:13 AM
image-2025-12-10-10-27-45-039.png
86 kB
10/Dec/25 10:27 AM
image-2025-12-10-10-28-02-252.png
41 kB
10/Dec/25 10:28 AM
image-2025-12-15-21-03-21-207.png
56 kB
15/Dec/25 9:03 PM
image-2025-12-15-21-03-50-111.png
63 kB
15/Dec/25 9:03 PM
image-2025-12-15-21-04-23-630.png
58 kB
15/Dec/25 9:04 PM
image-2026-02-03-15-34-53-304.png
74 kB
03/Feb/26 3:34 PM
image-2026-02-03-15-35-42-591.png
74 kB
03/Feb/26 3:35 PM
image-2026-02-05-11-33-37-712.png
39 kB
05/Feb/26 11:33 AM
image-2026-02-05-11-34-03-496.png
42 kB
05/Feb/26 11:34 AM
inventory-ui.webm
640 kB
04/Feb/26 6:23 PM
jwt expiry for hwc.webm
6.26 MB
04/Feb/26 6:23 PM
jwt expiry for hwc-1.webm
6.26 MB
04/Feb/26 6:23 PM
JWT Token.docx
457 kB
08/Jan/26 1:18 PM
JWT Token2.docx
435 kB
22/Jan/26 11:32 AM
JWT Token2-1.docx
435 kB
22/Jan/26 11:32 AM
Screenshot from 2025-11-12 12-41-01.png
71 kB
12/Nov/25 12:43 PM
Screenshot from 2026-01-13 11-05-20.png
39 kB
13/Jan/26 11:06 AM

Assignee:: Deep Shikha
Reporter:: Shashank Kharkwal
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: 04/Nov/25 3:25 PM
Updated:: 05/Feb/26 11:34 AM
Resolved:: 05/Feb/26 11:34 AM

JSON Web Token (JWT) Does Not Expire Properly, Allowing Extended Unauthorized Access

Search Test Runs

Search Test Cases

Details

Description

Attachments

Attachments

Qase: runs

Activity

People

Dates

Qase: cases