A08:2021 β Software and Data Integrity Failures
For the information about Software and Data Integrity Failures, visit page (opens in a new tab)
Lack of integrity verification
CWE-494: Download of Code Without Integrity Check
About
Software and Data Integrity Failures can take many forms, particularly since as the web evolves it is more and more common to use third-party code and services within web applications. These failures can be summarised as follows:
- Usage of code that does not verify the integrity of the source
- Usage of third-party plugins where you do not control the source
- Plugins and extensions from untrusted sources
- The introduction of or potential for compromise or unauthorized access
- Auto-updates assume the trust of the source
In this lecture, we will focus on the last point, which is auto-update of packages.
Demo
Auto-update of packages is easy to implement, often with good intentions, but can be a source of compromise. Auto update of packages can be done by installing a package:
npm -g install npm-check-updatesand then running the following command in the terminal:
ncu -uThe last command will update all the packages in the package.json file to the latest version.
The vulnerability is, that the auto-update of packages is made without sufficient integrity verification. As long as repositories are open-source, an attacker can upload its version of the package which is then distributed and run on all installations where the automatic update is enabled.
Prevention
- It is not a good practice to use auto-update of packages. Instead, you should use a package manager that allows you to specify the version of the package you want to install.
- As was already mentioned in A06 - Vulnerable packages, you should only use libraries and packages from trusted sources.
- Also, you should always use a static code analyzer (Snyk, OWASP Dependency-Check), which also checks for known vulnerabilities in the packages you use.
This is not a bulletproof prevention, because in this type of attack, attackers rely on the fact that no security scanner will detect the vulnerability of the package right after the installation of a new compromised version and it will give them enough time to compromise the system before being detected.
Sources
- https://www.youtube.com/watch?v=TwfLvG0D6dc (opens in a new tab)
- https://www.youtube.com/watch?v=n2znsiP4BGU (opens in a new tab)
- https://dev.to/imomaliev/til-2021-09-20-automatically-update-package-json-versions-1c7p (opens in a new tab)
- https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ (opens in a new tab)