# Improper Verification of Cryptographic Signature (CWE-347) The product does not verify, or incorrectly verifies, the cryptographic signature for data. **Stack:** JavaScript - Prevalence: Alta Frecuentemente explotada - Impact: Crítico 1 reglas de severidad crítica - Prevention: Documentada 4 ejemplos de corrección **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data. ## Prevention Estrategias de prevención para Improper Signature Verification basadas en 1 reglas de detección de Shoulder. ### Key Practices - Use of jwt ### JavaScript Use jwt.verify() instead of jwt.decode() to validate token signatures ## Warning Signs - [HIGH] use of jwt ## Consequences - Eludir mecanismo de protección - Ejecutar código no autorizado - Modificar datos de la aplicación ## Mitigations - Verifica siempre las firmas antes de confiar en los datos - Usa bibliotecas criptográficas bien probadas para la verificación de firmas - Para JWT, verifica siempre la firma y valida el algoritmo ## Detection - Total rules: 4 - Critical: 1 - Languages: python, go, javascript, typescript ## Rules by Language ### Javascript (1 rules) - **JWT Decode Without Verification** [HIGH]: Detects use of jwt.decode() without proper verification, leading to authentication bypass. jwt.decode() decodes a JWT token WITHOUT verifying its signature. This means an attacker can create a token with any payload they want, and the application will trust it. Common mistakes: - Using jwt.decode() instead of jwt.verify() - Decoding token for inspection then trusting the payload - Using decoded payload for authorization decisions The decoded payload should NEVER be trusted for security decisi - Remediation: Use jwt.verify() instead of jwt.decode() to validate the signature: ```javascript const jwt = require('jsonwebtoken'); app.post('/api/auth/verify', (req, res) => { const { token } = req.body; try { const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['RS256'] }); res.json({ user: decoded }); } catch (error) { res.status(401).json({ error: 'Invalid token' }); } }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-347/jwt-decode-without-verify ### Typescript (1 rules) - **JWT Decode Without Verification** [HIGH]: Detects use of jwt.decode() without proper verification, leading to authentication bypass. jwt.decode() decodes a JWT token WITHOUT verifying its signature. This means an attacker can create a token with any payload they want, and the application will trust it. Common mistakes: - Using jwt.decode() instead of jwt.verify() - Decoding token for inspection then trusting the payload - Using decoded payload for authorization decisions The decoded payload should NEVER be trusted for security decisi - Remediation: Use jwt.verify() instead of jwt.decode() to validate the signature: ```javascript const jwt = require('jsonwebtoken'); app.post('/api/auth/verify', (req, res) => { const { token } = req.body; try { const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['RS256'] }); res.json({ user: decoded }); } catch (error) { res.status(401).json({ error: 'Invalid token' }); } }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-347/jwt-decode-without-verify