CWE-345: Insufficient Verification of Data Authenticity

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application accepted modified or unsigned data without proper integrity verification. Evidence includes successful request tampering (modified JWT without signature verification, altered cookie values accepted), state changes triggered by manipulated parameters, or acceptance of unsigned/unverified API responses. Responses show that data lacking authentication (HMAC, signature) is trusted.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-345 typically indicate that the application accepted modified or forged data without verifying its authenticity, such as:

• Tampered JWTs or tokens that were still accepted
• Modified cookies or client-side state that influenced application behavior
• Downloaded content or metadata processed without integrity verification
• State or control data trusted without a signature or MAC

Evidence is based on observing that altered data was accepted at runtime, not on request parameters or response content.

Mapping DAST Findings to Source Code

CWE-345 does not map to a specific HTTP endpoint or request parameter. The issue resides in how the application verifies the authenticity of data that crosses trust boundaries.

When tracing this issue in code, look for:

• JWT or token verification logic
• Signature or MAC validation routines
• Signed cookies or session state verification
• Integrity checks for downloaded or imported data
• Trust decisions based on client-supplied data without verification

Remediation

Core Principle: Never allow untrusted data to influence security or control decisions unless its authenticity is verified by a server-controlled integrity mechanism (such as a signature or MAC) before use.

→ For comprehensive remediation guidance, see Static CWE-345 Guidance

Verification and Follow-Up Testing

After applying the fix:

1. Reproduce the Original Behavior

• Attempt to modify signed tokens, cookies, or client-controlled state
• Observe whether the application previously accepted altered data

Verify the Fix

• Confirm that signed tokens are rejected if modified
• Verify that unsigned or improperly signed data is not accepted
• Ensure integrity checks are enforced before security decisions are made

Test Edge Cases

• Alter integrity-protected data in transit and confirm rejection
• Test malformed or missing signatures
• Validate that integrity verification occurs before data is processed

Re-run DAST Scanner

Re-run your dynamic scanner to confirm that tampered data is no longer accepted.

Additional Resources

• CWE-345: Insufficient Verification of Data Authenticity
• OWASP Data Validation
• OWASP Top 10 2025
• OWASP Top 10 2025 A08: Software or Data Integrity Failures
• PortSwigger JWT Attacks