# Improper Verification of Cryptographic Signature (CWE-347) The product does not verify, or incorrectly verifies, the cryptographic signature for data. **Stack:** Python - Prevalence: Alta Frecuentemente explotada - Impact: Crítico 1 reglas de severidad crítica - Prevention: Documentada 4 ejemplos de corrección **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data. ## Prevention Estrategias de prevención para Improper Signature Verification basadas en 2 reglas de detección de Shoulder. ### Python Load JWT secret from environment and explicitly specify allowed algorithms Always specify allowed algorithms explicitly when decoding JWT tokens ## Warning Signs - [HIGH] JWT implementation has security vulnerabilities - [HIGH] JWT security issues in FastAPI applications including: - Weak or hardcoded secrets - Missing algorit - [CRITICAL] JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token ## Consequences - Eludir mecanismo de protección - Ejecutar código no autorizado - Modificar datos de la aplicación ## Mitigations - Verifica siempre las firmas antes de confiar en los datos - Usa bibliotecas criptográficas bien probadas para la verificación de firmas - Para JWT, verifica siempre la firma y valida el algoritmo ## Detection - Total rules: 4 - Critical: 1 - Languages: python, go, javascript, typescript ## Rules by Language ### Python (2 rules) - **FastAPI JWT Security Issues** [HIGH]: Detects JWT security issues in FastAPI applications including: - Weak or hardcoded secrets - Missing algorithm verification - Insufficient token validation - Insecure token storage patterns - Remediation: Load JWT secret from environment and explicitly specify the algorithm. ```python from pydantic_settings import BaseSettings from jose import jwt class Settings(BaseSettings): SECRET_KEY: str ALGORITHM: str = "HS256" settings = Settings() def decode_token(token: str): return jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM]) ``` Learn more: https://shoulder.dev/learn/python/cwe-347/jwt-security - **JWT Algorithm Confusion Attack** [CRITICAL]: Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery. - Remediation: Always specify allowed algorithms explicitly when decoding JWT tokens. ```python payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256']) ``` Learn more: https://shoulder.dev/learn/python/cwe-347/jwt-algorithm-confusion