# Improper Verification of Cryptographic Signature (CWE-347)

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

**Stack:** Python

- Prevalence: उच्च बार-बार शोषित
- Impact: क्रिटिकल 1 क्रिटिकल गंभीरता वाले नियम
- Prevention: प्रलेखित 4 फिक्स उदाहरण

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Improper Signature Verification के लिए रोकथाम रणनीतियाँ।

### Python

Load JWT secret from environment and explicitly specify allowed algorithms

Always specify allowed algorithms explicitly when decoding JWT tokens

## Warning Signs

- [HIGH] JWT implementation has security vulnerabilities
- [HIGH] JWT security issues in FastAPI applications including:
- Weak or hardcoded secrets
- Missing algorit
- [CRITICAL] JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token 

## Consequences

- सुरक्षा तंत्र को बायपास करना
- अनधिकृत कोड निष्पादित करना
- एप्लिकेशन डेटा संशोधित करना

## Mitigations

- डेटा पर भरोसा करने से पहले हमेशा हस्ताक्षर सत्यापित करें
- हस्ताक्षर सत्यापन के लिए अच्छी तरह से परीक्षण की गई क्रिप्टोग्राफ़िक लाइब्रेरीज़ का उपयोग करें
- JWT के लिए हमेशा हस्ताक्षर सत्यापित करें और एल्गोरिदम मान्य करें

## Detection

- Total rules: 4
- Critical: 1
- Languages: python, go, javascript, typescript

## Rules by Language

### Python (2 rules)

- **FastAPI JWT Security Issues** [HIGH]: Detects JWT security issues in FastAPI applications including:
- Weak or hardcoded secrets
- Missing algorithm verification
- Insufficient token validation
- Insecure token storage patterns
  - Remediation: Load JWT secret from environment and explicitly specify the algorithm.

```python
from pydantic_settings import BaseSettings
from jose import jwt

class Settings(BaseSettings):
    SECRET_KEY: str
    ALGORITHM: str = "HS256"

settings = Settings()

def decode_token(token: str):
    return jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
```

Learn more: https://shoulder.dev/learn/python/cwe-347/jwt-security
- **JWT Algorithm Confusion Attack** [CRITICAL]: Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery.
  - Remediation: Always specify allowed algorithms explicitly when decoding JWT tokens.

```python
payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
```

Learn more: https://shoulder.dev/learn/python/cwe-347/jwt-algorithm-confusion