CWE-347 Improper Verification of Cryptographic Signature
Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged code that accepts signed data without correctly verifying the signature (or verifies it incorrectly). This includes skipping verification, using the wrong key, or validating the wrong data/claims.
Why it matters
Unverified signatures allow tampered data to be accepted.
- Forged tokens/events: attackers can impersonate users or spoof webhooks.
- Data tampering: "signed" payloads can be modified if verification is broken.
- Supply-chain style impact: if update/package signatures are not checked correctly, malicious updates can be accepted.
Safer examples
1) Use a well-maintained library and verify by default
Avoid implementing signature schemes yourself.
2) Verify the right thing, with the right key
- Verify the signature over the canonical/raw payload
- Pin the expected algorithm(s)
- Use the correct public key / secret and rotate keys safely
3) Validate claims after signature verification
For tokens: validate iss, aud, exp, and any critical claims (see JWT01).
How SiteShadow detects it (high level)
- Recognizes signature/JWT/webhook verification flows and flags "verify disabled" or partial validation patterns.
- Flags when code parses/uses claims before verification or ignores verification errors.
References
- CWE-347: https://cwe.mitre.org/data/definitions/347.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.