Php Improper Crypto Signature Verification
Description
Detects when cryptographic signature verification in PHP code may be implemented incorrectly, specifically around the openssl_verify function. This can lead to signature bypass vulnerabilities where an attacker could forge signatures that appear valid, compromising the integrity verification system.
Detection Strategy
• Identifies direct calls to openssl_verify function in PHP code
• Checks if cryptographic keys or verification data come from user-controllable input
• Monitors variables that store verification results to detect if they are used securely
• Reports a vulnerability when signature verification results are not properly validated or could be bypassed
• Examines the context where verification results are used in conditional statements or security decisions
Vulnerable code example
<?php
$payload = $_POST['payload'];
$signature = $_POST['signature'];
$user_pubkey = $_POST['pubkey']; // Attacker-controlled public key
// VULNERABLE: Using untrusted public key from user input
if (openssl_verify($payload, base64_decode($signature), $user_pubkey)) {
// Loose truthy check AND untrusted key - attacker can forge signatures...✅ Secure code example
<?php
// Hardcoded trusted public key - never accept from user input
$trusted_pubkey = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...\n-----END PUBLIC KEY-----";
$payload = $_POST['payload'] ?? '';
$signature = $_POST['signature'] ?? '';
// Validate inputs are non-empty strings...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.