You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the time of verification, we use the value of digest header(if required) for verifying signature.
This opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the headers, signature verification will still be OK because we are using the digest header sent for the verification purpose.
To prevent such attack , we should
Either,
i) recalculate the 'digest' to be used in signature verification.
Or,
ii)Compare the[ 'digest' header value] with the [re-calculated 'digest' from body] , if the signature calculation method for verification remains as is.
The text was updated successfully, but these errors were encountered:
At the time of verification, we use the value of digest header(if required) for verifying signature.
This opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the headers, signature verification will still be OK because we are using the digest header sent for the verification purpose.
To prevent such attack , we should
Either,
i) recalculate the 'digest' to be used in signature verification.
Or,
ii)Compare the[ 'digest' header value] with the [re-calculated 'digest' from body] , if the signature calculation method for verification remains as is.
The text was updated successfully, but these errors were encountered: