At the time of verification, we use the value of digest header(if required) for verifying signature.
This opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the headers, signature verification will still be OK because we are using the digest header sent for the verification purpose.
To prevent such attack , we should
Either,
i) recalculate the 'digest' to be used in signature verification.
Or,
ii)Compare the[ 'digest' header value] with the [re-calculated 'digest' from body] , if the signature calculation method for verification remains as is.
At the time of verification, we use the value of digest header(if required) for verifying signature.
This opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the headers, signature verification will still be OK because we are using the digest header sent for the verification purpose.
To prevent such attack , we should
Either,
i) recalculate the 'digest' to be used in signature verification.
Or,
ii)Compare the[ 'digest' header value] with the [re-calculated 'digest' from body] , if the signature calculation method for verification remains as is.