Weakness reference
CWE-345

Insufficient Verification of Data Authenticity

This weakness occurs when software accepts data without properly verifying that it came from a trusted source or hasn't been tampered with. An attacker can…

01Summary

This weakness occurs when software accepts data without properly verifying that it came from a trusted source or hasn't been tampered with. An attacker can forge, modify, or replay data, and the application will treat it as legitimate. This is a foundational security flaw that can lead to account takeover, privilege escalation, data corruption, and unauthorized actions.

02How It Happens

Applications often receive data from external sources—user input, API responses, cookies, configuration files, or network messages. If the software doesn't cryptographically verify the origin or integrity of that data, an attacker can intercept and modify it in transit, or craft fake data that the application will accept as genuine. Common scenarios include trusting unsigned cookies, accepting unauthenticated API responses, or relying on client-side validation alone without server-side verification.

03Real-World Impact

An attacker could modify a session cookie to impersonate another user, alter an API response to inject malicious instructions, replay an old transaction to repeat an action, or forge authentication tokens to gain unauthorized access. The impact ranges from account compromise to data theft, financial fraud, or system-wide compromise depending on what data is being verified and how it's used.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import json
import requests

# Receiving data from an external API without verification
response = requests.get('https://api.example.com/user_data')
user_data = response.json()

# Trusting the data directly without checking origin or integrity
user_id = user_data['user_id']
is_admin = user_data['is_admin']

if is_admin:
    grant_admin_privileges(user_id)

Why it's vulnerable:
The code accepts JSON from an external source without verifying the response signature, checking a cryptographic hash, or validating that it came from the expected server. An attacker on the network could intercept and modify the response to set is_admin to True.

Fixed pattern
import json
import requests
import hmac
import hashlib

# Receiving data with cryptographic verification
response = requests.get('https://api.example.com/user_data')
user_data = response.json()
signature = response.headers.get('X-Signature')

# Verify the signature using a shared secret
expected_signature = hmac.new(
    b'shared_secret_key',
    response.content,
    hashlib.sha256
).hexdigest()

if not hmac.compare_digest(signature, expected_signature):
    raise ValueError("Data authenticity verification failed")

user_id = user_data['user_id']
is_admin = user_data['is_admin']

if is_admin:
    grant_admin_privileges(user_id)
Vulnerable pattern
<?php
// Accepting a cookie value without verification
$user_role = $_COOKIE['user_role'];

// Trusting the cookie directly
if ($user_role === 'admin') {
    display_admin_panel();
}
?>

Why it's vulnerable:
Cookies are stored on the client and can be modified by the user or an attacker. The code trusts the cookie value without any cryptographic signature or server-side verification, allowing privilege escalation.

Fixed pattern
<?php
// Using signed cookies with HMAC verification
$user_role = $_COOKIE['user_role'] ?? null;
$signature = $_COOKIE['user_role_sig'] ?? null;

// Verify the signature
$expected_signature = hash_hmac(
    'sha256',
    $user_role,
    'server_secret_key'
);

if (!hash_equals($expected_signature, $signature ?? '')) {
    die('Invalid cookie signature');
}

// Now safe to use the verified value
if ($user_role === 'admin') {
    display_admin_panel();
}
?>

05Prevention Checklist

Use cryptographic signatures or HMACs
for any data that crosses a trust boundary (cookies, API responses, configuration files). Verify the signature on every use.
Validate data origin
by checking TLS certificates, certificate pinning, or mutual authentication (mTLS) for API calls.
Never trust client-side validation alone.
Always re-validate critical data on the server before acting on it.
Implement server-side session management
instead of storing sensitive state (like user role or permissions) in client-controlled cookies.
Use authenticated encryption
(e.g., AES-GCM) for sensitive data in transit, not just signing.
Log and alert on verification failures
so you can detect tampering attempts in real time.

06Signs You May Already Be Affected

Look for unexplained privilege escalations, users reporting unauthorized actions on their accounts, or API responses that don't match expected formats. Check server logs for repeated signature verification failures or unusual cookie values. If you're storing sensitive data like user roles or permissions in cookies without signatures, you are vulnerable.

07Related Recent Vulnerabilities