CWE-347 Improper Verification of Cryptographic Signature
What this means
SiteShadow flagged code that accepts signed data without correctly verifying the signature (or verifies it incorrectly). This includes skipping verification, using the wrong key, or validating the wrong data/claims.
Why it matters
Unverified signatures allow tampered data to be accepted.
- Forged tokens/events: attackers can impersonate users or spoof webhooks.
- Data tampering: "signed" payloads can be modified if verification is broken.
- Supply-chain style impact: if update/package signatures are not checked correctly, malicious updates can be accepted.
Safer examples
1) Use a well-maintained library and verify by default
Avoid implementing signature schemes yourself.
2) Verify the right thing, with the right key
- Verify the signature over the canonical/raw payload
- Pin the expected algorithm(s)
- Use the correct public key / secret and rotate keys safely
3) Validate claims after signature verification
For tokens: validate iss, aud, exp, and any critical claims (see JWT01).
How SiteShadow detects it (high level)
- Recognizes signature/JWT/webhook verification flows and flags "verify disabled" or partial validation patterns.
- Flags when code parses/uses claims before verification or ignores verification errors.
References
- CWE-347: https://cwe.mitre.org/data/definitions/347.html
---