# Improper Verification of Cryptographic Signature (CWE-347)

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

**Stack:** Go

- Prevalence: 高 頻繁に悪用される
- Impact: クリティカル 1 件の重大度クリティカルなルール
- Prevention: 文書化済み 4 件の修正例

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data.

## Prevention

1 件の Shoulder 検出ルールに基づく Improper Signature Verification の予防策。

### Go

Validate JWT algorithm explicitly, use strong secrets, and set expiration

## Warning Signs

- [HIGH] JWT implementation has security weaknesses

## Consequences

- 保護メカニズムの回避
- 未承認コードの実行
- アプリケーションデータの変更

## Mitigations

- データを信用する前に必ず署名を検証する
- 署名検証には十分に検証済みの暗号ライブラリを使用する
- JWT では必ず署名を検証し、アルゴリズムも検証する

## Detection

- Total rules: 4
- Critical: 1
- Languages: python, go, javascript, typescript

## Rules by Language

### Go (1 rules)

- **JWT Security Vulnerabilities** [HIGH]: JWT allows "none" algorithm, uses weak secret, or lacks expiration.
  - Remediation: Validate algorithm explicitly and set token expiration.

```go
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        return nil, fmt.Errorf("unexpected method: %v", token.Header["alg"])
    }
    return []byte(os.Getenv("JWT_SECRET")), nil
})
```

Learn more: https://shoulder.dev/learn/go/cwe-347/jwt-vulnerabilities