# Improper Verification of Cryptographic Signature (CWE-347)

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

**Stack:** JavaScript

- Prevalence: Wysoka Często wykorzystywana
- Impact: Krytyczny 1 reguł o krytycznym poziomie
- Prevention: Udokumentowane 4 przykładów poprawek

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data.

## Prevention

Strategie zapobiegania dla Improper Signature Verification oparte na 1 regułach detekcji Shoulder.

### Key Practices

- Use of jwt

### JavaScript

Use jwt.verify() instead of jwt.decode() to validate token signatures

## Warning Signs

- [HIGH] use of jwt

## Consequences

- Obejście mechanizmu ochrony
- Wykonanie nieautoryzowanego kodu
- Modyfikacja danych aplikacji

## Mitigations

- Zanim zaufasz danym, zawsze weryfikuj podpisy
- Do weryfikacji podpisów używaj dobrze przetestowanych bibliotek kryptograficznych
- W JWT zawsze weryfikuj podpis i sprawdzaj algorytm

## Detection

- Total rules: 4
- Critical: 1
- Languages: python, go, javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **JWT Decode Without Verification** [HIGH]: Detects use of jwt.decode() without proper verification, leading to authentication bypass.

jwt.decode() decodes a JWT token WITHOUT verifying its signature. This means an attacker
can create a token with any payload they want, and the application will trust it.

Common mistakes:
- Using jwt.decode() instead of jwt.verify()
- Decoding token for inspection then trusting the payload
- Using decoded payload for authorization decisions

The decoded payload should NEVER be trusted for security decisi
  - Remediation: Use jwt.verify() instead of jwt.decode() to validate the signature:

```javascript
const jwt = require('jsonwebtoken');

app.post('/api/auth/verify', (req, res) => {
  const { token } = req.body;
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['RS256']
    });
    res.json({ user: decoded });
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-347/jwt-decode-without-verify

### Typescript (1 rules)

- **JWT Decode Without Verification** [HIGH]: Detects use of jwt.decode() without proper verification, leading to authentication bypass.

jwt.decode() decodes a JWT token WITHOUT verifying its signature. This means an attacker
can create a token with any payload they want, and the application will trust it.

Common mistakes:
- Using jwt.decode() instead of jwt.verify()
- Decoding token for inspection then trusting the payload
- Using decoded payload for authorization decisions

The decoded payload should NEVER be trusted for security decisi
  - Remediation: Use jwt.verify() instead of jwt.decode() to validate the signature:

```javascript
const jwt = require('jsonwebtoken');

app.post('/api/auth/verify', (req, res) => {
  const { token } = req.body;
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['RS256']
    });
    res.json({ user: decoded });
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-347/jwt-decode-without-verify