Fixes OWASP/mastg#2589 [MASWE-0025] Weak Signature

[sydseter]

This PR closes OWASP/mastg#2589

Description

See issue for details

---

[x] I have read the contributing guidelines.

Guidelines for Pull Requests (you can delete this section after reading):

• Please ensure that your content follows the style guide.
• If you are working on Porting MASTG v1 Tests to v2, refer to this document.
• If you are working on new MASWE, tests, or demos, refer to this document.

[Diolor]

1. I would add confidentiality: asymmetric algos also ensure it
2. I would structure the existing into: integrity (that data being accessed is intact and as expected) and non-repudiation (authenticity - that an action came from a user). Accountability is closer to logging users' actions, indeed, to place.

[sydseter]

1. Sure, but let's ensure that MASWE-0025 only applies to weak signatures to ensure integrity, non-repudiation and authenticity.
2. A digital signature inherently establishes authenticity (who sent it), integrity (that it hasn't been tampered with), and non-repudiation. Logging is a separate concern. I have divided the section into three.

[sydseter]

Better?

[daiane-galvao]

Hi everyone, @Diolor @sydseter
I’m still new to this topic, but while contributing to a project in the banking sector, we identified an opportunity to strengthen digital signature generation by binding signatures to device identity and contextual data.

For mobile clients that generate signatures, including semantic context such as operation type, timestamp, nonce, and content hash helps ensure Proof of Possession (only the legitimate device, can produce the signature) and non-repudiation (the signature is cryptographically tied to a specific device and operation).

I believe this could complement the current Mitigations section by emphasizing secure key binding and contextual signing practices. WDYT ?

[sydseter]

@daiane-galvao Absolutely, we do that as well, but, for us at least, it's done through binding the user's session to the private key on sign-in to our IDP. This issue, however, is about mobile application security weaknesses.
OWASP ASVS may cover this concern on the IDP and API side. See 4.1.5: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x13-V4-API-and-Web-Service.md#v41-generic-web-service-security

But there is a need for clear recommendations regarding mobile clients and their role as OAuth clients as well (e.g ASVS 5.0: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x19-V10-OAuth-and-OIDC.md#v102-oauth-client ).

There is a MASTG document that talks about JWT tokens, briefly, and I believe your comment is relevant there:
https://github.com/OWASP/mastg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#general-assumptions

First priority now is MASTG 2.0, so even though I personally also feel solutions like Private Key JWT should be considered for mobile application authentication architecture, it won't be prioritized straight away for MASTG.

[cpholguera]

@daiane-galvao despite that. We do welcome any contributions, so feel free to edit the linked files and keep providing feedback and suggestions for MASWE or MASTG tickets/open PRs.

Of course feel free to open discussions or issues.

https://mas.owasp.org/contributing/1_How_Can_You_Contribute/

Thank you.

[Copilot]

Pull Request Overview

This PR converts MASWE-0025 from placeholder status to a fully documented weakness entry. The document now provides comprehensive guidance on improper generation of digital signatures.

Key changes:

• Updated title from "Improper Generation of Cryptographic Signatures" to "Improper Generation of Digital Signatures"
• Changed status from "placeholder" to "new"
• Added complete documentation including Overview, Impact, Modes of Introduction, and Mitigations sections

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cpholguera]

@Diolor could you please take another look? We added a couple of changes.