测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
Shoulder.dev

开发者威胁情报
✍️

Improper Verification of Cryptographic Signature

🛡️ 4 条规则检测到此问题

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Cryptographic signatures are used to verify the authenticity and integrity of data. When signature verification is missing or incorrectly implemented, attackers can forge or tamper with data.

普遍性
频繁被利用
影响
关键
1 条严重级别为关键的规则
预防
已记录
4 个修复示例
2 预防
2 预防

如何修复此漏洞

基于 4 条 Shoulder 检测规则的 Improper Signature Verification 预防策略。

🐍 Python 查看全部 Python 详情 →
FastAPI JWT Security Issues HIGH

Load JWT secret from environment and explicitly specify allowed algorithms

+11 -6 python 
- from jose import jwt
- 
- SECRET = "my-secret-key"
- 
- def decode_token(token: str):
-     return jwt.decode(token, SECRET)
+ from pydantic_settings import BaseSettings
+ from jose import jwt
+ 
+ class Settings(BaseSettings):
+     SECRET_KEY: str
+     ALGORITHM: str = "HS256"
+ 
+ settings = Settings()
+ 
+ def decode_token(token: str):
+     return jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
JWT Algorithm Confusion Attack CRITICAL

Always specify allowed algorithms explicitly when decoding JWT tokens

+13 -7 python 
  import jwt
- from flask import request
- 
- @app.route('/api/user')
- def get_user():
-     token = request.headers.get('Authorization')
-     payload = jwt.decode(token, SECRET_KEY, verify=False)
-     return {'user': payload['user_id']}
+ import os
+ from flask import request
+ 
+ SECRET_KEY = os.environ['JWT_SECRET']
+ 
+ @app.route('/api/user')
+ def get_user():
+     token = request.headers.get('Authorization')
+     try:
+         payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
+         return {'user': payload['user_id']}
+     except jwt.InvalidTokenError:
+         return {'error': 'Invalid token'}, 401
🐹 Go 查看全部 Go 详情 →
JWT Security Vulnerabilities HIGH

Validate JWT algorithm explicitly, use strong secrets, and set expiration

+4 -1 go 
  func parseToken(tokenString string) (*jwt.Token, error) {
      return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-         return []byte("secret"), nil
+         if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+             return nil, fmt.Errorf("unexpected method: %v", token.Header["alg"])
+         }
+         return []byte(os.Getenv("JWT_SECRET")), nil
      })
  }
🟨 JavaScript 查看全部 JavaScript 详情 →
JWT Decode Without Verification HIGH

Use jwt.verify() instead of jwt.decode() to validate token signatures

+3 -1 javascript 
- const decoded = jwt.decode(token);
+ const decoded = jwt.verify(token, process.env.JWT_SECRET, {
+   algorithms: ['RS256']
+ });
  req.user = decoded;

关键实践

  • Use of jwt
3 检测
3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Improper Verification of Cryptographic Signature模式。 4 规则.

终端
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=347

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (4)

4 警告信号
4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Improper Verification of Cryptographic Signature漏洞。在代码审查和安全审计中注意查找。

🟠
JWT implementation has security vulnerabilities fastapi-jwt-security
🟠
JWT security issues in FastAPI applications including: - Weak or hardcoded secrets - Missing algorit fastapi-jwt-security
🟠
use of jwt javascript-jwt-decode-without-verify
🔴
JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token python-jwt-algorithm-confusion
🔍

扫描你的代码库: Improper Verification of Cryptographic Signature

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则