SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-347 Improper Verification of Cryptographic Signature

Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged code that accepts signed data without correctly verifying the signature (or verifies it incorrectly). This includes skipping verification, using the wrong key, or validating the wrong data/claims.

Why it matters

Unverified signatures allow tampered data to be accepted.

Safer examples

1) Use a well-maintained library and verify by default

Avoid implementing signature schemes yourself.

2) Verify the right thing, with the right key

3) Validate claims after signature verification

For tokens: validate iss, aud, exp, and any critical claims (see JWT01).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.