Improper Verification of Cryptographic Signature (CWE-347)

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data.

Rozpowszechnienie

Wysoka

Często wykorzystywana

Wplyw

Krytyczny

1 reguł o krytycznym poziomie

Zapobieganie

Udokumentowane

4 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla Improper Signature Verification oparte na 4 regułach detekcji Shoulder.

🐍 Python Zobacz wszystko Python szczegóły →

FastAPI JWT Security Issues HIGH

Load JWT secret from environment and explicitly specify allowed algorithms

+11 -6 python

- from jose import jwt
- 
- SECRET = "my-secret-key"
- 
- def decode_token(token: str):
-     return jwt.decode(token, SECRET)
+ from pydantic_settings import BaseSettings
+ from jose import jwt
+ 
+ class Settings(BaseSettings):
+     SECRET_KEY: str
+     ALGORITHM: str = "HS256"
+ 
+ settings = Settings()
+ 
+ def decode_token(token: str):
+     return jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])

JWT Algorithm Confusion Attack CRITICAL

Always specify allowed algorithms explicitly when decoding JWT tokens

+13 -7 python

  import jwt
- from flask import request
- 
- @app.route('/api/user')
- def get_user():
-     token = request.headers.get('Authorization')
-     payload = jwt.decode(token, SECRET_KEY, verify=False)
-     return {'user': payload['user_id']}
+ import os
+ from flask import request
+ 
+ SECRET_KEY = os.environ['JWT_SECRET']
+ 
+ @app.route('/api/user')
+ def get_user():
+     token = request.headers.get('Authorization')
+     try:
+         payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
+         return {'user': payload['user_id']}
+     except jwt.InvalidTokenError:
+         return {'error': 'Invalid token'}, 401

🐹 Go Zobacz wszystko Go szczegóły →

JWT Security Vulnerabilities HIGH

Validate JWT algorithm explicitly, use strong secrets, and set expiration

+4 -1 go

  func parseToken(tokenString string) (*jwt.Token, error) {
      return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-         return []byte("secret"), nil
+         if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+             return nil, fmt.Errorf("unexpected method: %v", token.Header["alg"])
+         }
+         return []byte(os.Getenv("JWT_SECRET")), nil
      })
  }

🟨 JavaScript Zobacz wszystko JavaScript szczegóły →

JWT Decode Without Verification HIGH

Use jwt.verify() instead of jwt.decode() to validate token signatures

+3 -1 javascript

- const decoded = jwt.decode(token);
+ const decoded = jwt.verify(token, process.env.JWT_SECRET, {
+   algorithms: ['RS256']
+ });
  req.user = decoded;

Kluczowe praktyki

Use of jwt

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Improper Verification of Cryptographic Signature. 4 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=347

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (4)

🐍 Python 2 rules

FastAPI JWT Security Issues HIGH

Detects JWT security issues in FastAPI applications including: - Weak or hardcoded secrets - Missing algorithm verification - Insufficient token validation - Insecure token storage patterns

JWT Algorithm Confusion Attack CRITICAL

Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery.

🐹 Go 1 rules

JWT Security Vulnerabilities HIGH

JWT allows "none" algorithm, uses weak secret, or lacks expiration.

🟨 Javascript 1 rules

JWT Decode Without Verification HIGH

Detects use of jwt.decode() without proper verification, leading to authentication bypass. jwt.decode() decodes a JWT token WITHOUT verifying its signature. This means an attacker can create a token with any payload they want, and the application will trust it. Common mistakes: - Using jwt.decode() instead of jwt.verify() - Decoding token for inspection then trusting the payload - Using decoded payload for authorization decisions The decoded payload should NEVER be trusted for security decisi

🔷 Typescript 1 rules

JWT Decode Without Verification HIGH

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Improper Verification of Cryptographic Signature. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠

JWT implementation has security vulnerabilities fastapi-jwt-security

🟠

JWT security issues in FastAPI applications including: - Weak or hardcoded secrets - Missing algorit fastapi-jwt-security

🟠

use of jwt javascript-jwt-decode-without-verify

🔴

JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token python-jwt-algorithm-confusion

🔍

Przeskanuj swój kod w poszukiwaniu Improper Verification of Cryptographic Signature

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły