Improper Verification of Cryptographic Signature
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-347: Improper Verification of Cryptographic Signature |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The application is configured to accept unsigned security tokens by setting RequireSignedTokens to false. This means tokens without a valid cryptographic signature are treated as valid, making it easy for attackers to forge or tamper with tokens.
Impact#
If exploited, attackers could create or modify tokens to impersonate users, bypass authentication, or gain unauthorized access to sensitive resources. This can lead to data breaches, privilege escalation, and loss of trust in the application’s security.