CWE-345: Insufficient Verification of Data Authenticity

What is Insufficient Verification of Data Authenticity?

• Overview: Insufficient Verification of Data Authenticity (CWE-345) occurs when an application does not adequately confirm the source or integrity of incoming data, leading to acceptance of potentially invalid or harmful data.

• Exploitation Methods:

• Attackers can exploit this vulnerability by injecting malicious data, impersonating legitimate sources, or tampering with data in transit.
• Common attack patterns include man-in-the-middle attacks, data spoofing, and replay attacks.

• Security Impact:

• Direct consequences include unauthorized access, data corruption, and execution of unintended actions.
• Potential cascading effects involve further system compromise, propagation of incorrect data, and escalation of privileges.
• Business impact may include data breaches, reputational damage, and financial losses due to fraud or operational disruptions.

• Prevention Guidelines:

• Specific code-level fixes include implementing cryptographic techniques such as digital signatures or message authentication codes (MACs) to verify data authenticity.
• Security best practices involve using secure communication protocols (e.g., TLS/SSL) and validating data sources before processing.
• Recommended tools and frameworks include libraries for cryptography (e.g., OpenSSL, Bouncy Castle) and secure API gateways to enforce data integrity checks.

Corgea can automatically detect and fix Insufficient Verification of Data Authenticity in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: ICS/OT

Vulnerable Code Example

JavaScript Example

// This function receives a JSON Web Token (JWT) from the client and decodes it to retrieve user information.
// However, it does not verify the signature of the JWT, allowing an attacker to forge tokens and impersonate users.
const jwt = require('jsonwebtoken');

function authenticateToken(req, res) {
    const authHeader = req.header('Authorization');
    if (!authHeader) return res.sendStatus(401);

    const token = authHeader.split(' ')[1];
    if (!token) return res.sendStatus(401);

    // Vulnerable: Decoding the token without verifying its signature
    const user = jwt.decode(token);  // This line decodes the token but does not verify its authenticity
    if (!user) return res.sendStatus(403);

    req.user = user;
    next();
}

How to fix Insufficient Verification of Data Authenticity?

To fix the vulnerability, we need to verify the authenticity of the JWT by checking its signature. This ensures that the token was issued by a trusted authority and has not been tampered with. In practice, this involves using a secret key (for HS256) or a public key (for RS256) to verify the token’s signature. This prevents attackers from forging tokens and impersonating users, as they would not have access to the secret or private key required to generate a valid signature.

Fixed Code Example

// This function receives a JSON Web Token (JWT) from the client, verifies its signature, and decodes it to retrieve user information.
// Now, it uses a secret key to ensure the token's authenticity, protecting against token forgery.
const jwt = require('jsonwebtoken');

// Secret key used for verifying the token's signature
const SECRET_KEY = 'your-very-secure-secret-key';

function authenticateToken(req, res, next) {
    const authHeader = req.header('Authorization');
    if (!authHeader) return res.sendStatus(401);

    const token = authHeader.split(' ')[1];
    if (!token) return res.sendStatus(401);

    // Fixed: Verifying the token's signature with the secret key
    jwt.verify(token, SECRET_KEY, (err, user) => {
        if (err) return res.sendStatus(403);  // If verification fails, respond with 403 Forbidden
        req.user = user;  // Attach the verified user information to the request
        next();  // Proceed to the next middleware or route handler
    });
}

By verifying the token with a secret key, we ensure that only valid tokens issued by our server (or a trusted authority) are accepted. This prevents unauthorized access and user impersonation. Always store your secret keys securely and consider using stronger algorithms (such as RS256) for added security.