Reliance on Obfuscation or Encryption without Integrity Checking
This weakness occurs when software encrypts or obfuscates data but fails to verify that the data hasn't been modified after encryption. An attacker can alter…
This weakness occurs when software encrypts or obfuscates data but fails to verify that the data hasn't been modified after encryption. An attacker can alter encrypted data without triggering any error or detection, potentially causing the application to process corrupted or malicious information. Encryption alone does not guarantee that data remains trustworthy — you also need a way to detect tampering.
02How It Happens
Encryption protects *confidentiality* — it keeps data secret from unauthorized readers. However, it does not inherently protect *integrity* — the assurance that data hasn't been altered. When an application encrypts a value (such as a session token, user ID, or configuration setting) and later decrypts it without checking a cryptographic signature or authentication tag, an attacker can modify the ciphertext. The decryption will succeed, but the resulting plaintext may be corrupted or malicious. The application then processes this tampered data as if it were legitimate, leading to logic flaws, privilege escalation, or data corruption.
03Real-World Impact
An attacker could modify an encrypted user ID in a cookie to impersonate another account, alter an encrypted price field in a shopping cart to pay less, or corrupt an encrypted configuration value to trigger unexpected behavior. In some cases, tampered encrypted data can cause denial of service or enable remote code execution if the decrypted value is used in an unsafe context. The lack of integrity checking means these attacks leave no obvious trace — the decryption succeeds silently, and the application proceeds with corrupted data.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import base64
from cryptography.fernet import Fernet
# Attacker-controlled encrypted token
encrypted_token = b'gAAAAABl...' # tampered ciphertext
cipher = Fernet(key)
try:
decrypted = cipher.decrypt(encrypted_token)
user_id = int(decrypted.decode())
# Process user_id without verifying it came from a trusted source
grant_access(user_id)
except Exception:
pass
Why it's vulnerable: The code decrypts the token but does not verify its authenticity. An attacker can flip bits in the ciphertext, and if decryption succeeds (or fails silently), the application may process invalid or malicious data.
Fixed pattern
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os
# Use authenticated encryption (AES-GCM)
key = os.urandom(32)
cipher = AESGCM(key)
nonce = os.urandom(12)
plaintext = b'user_id:42'
ciphertext = cipher.encrypt(nonce, plaintext, None)
# Later: decrypt and verify in one operation
try:
decrypted = cipher.decrypt(nonce, ciphertext, None)
user_id = int(decrypted.decode().split(':')[1])
grant_access(user_id)
except Exception:
# Decryption failed — data was tampered with
deny_access()
Why it's vulnerable: XOR obfuscation is not encryption, and there is no integrity check. An attacker can modify the cookie value, and the application will decrypt and use it without detecting tampering.
Use authenticated encryption modes (AES-GCM, ChaCha20-Poly1305) instead of plain encryption, which combines confidentiality and integrity checking in a single operation.
If you must use non-authenticated encryption, compute and verify an HMAC or other authentication tag over the ciphertext before decryption.
Never rely on obfuscation (XOR, base64, simple substitution) as a substitute for encryption; it provides no real security.
Treat decryption failures as security events — log them and deny access rather than silently continuing.
Use established cryptographic libraries and avoid implementing custom encryption or authentication logic.
06Signs You May Already Be Affected
Review your codebase for encryption or obfuscation of sensitive values (session tokens, user IDs, API keys, prices) without corresponding integrity checks. Look for decryption operations that do not verify an authentication tag or HMAC, or that catch and suppress decryption errors. Check logs for unusual patterns of decryption failures or unexpected data corruption that might indicate tampering attempts.