Overview: Software and Data Integrity Failures
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 37 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Number 8 of the OWASP top 10 in 2021,
00:00
is software and data integrity failures.
00:00
Our learning objectives are to describe
00:00
software and data integrity failures,
00:00
demonstrate how to test for these types of failures,
00:00
and explain how to remediate
00:00
software and data integrity failures.
00:00
What are software and data integrity failures?
00:00
This is a brand new category in 2021,
00:00
newly introduced with
00:00
some old friends, I guess you could say,
00:00
that we saw in 2017, like insecure deserialization.
00:00
We've added some new things in this year in 2021,
00:00
specifically focused on supply chain issues.
00:00
What do I mean by that?
00:00
SolarWinds comes to mind,
00:00
and that will be the focus of what
00:00
the article is at the end of this lesson.
00:00
But we're looking at software updates or packages,
00:00
things that are coded
00:00
without verifying the integrity of them.
00:00
Now of course in the case of SolarWinds,
00:00
this was a signed update,
00:00
so people trusted it,
00:00
but it brings to light the fact that we
00:00
rely so much on third parties.
00:00
We code using third-party libraries,
00:00
we update our routers with
00:00
firmware that maybe we
00:00
don't know the source of the firmware,
00:00
maybe someone's implanted some kind of
00:00
malware in that firmware,
00:00
and plug-ins like WordPress.
00:00
Do we actually know what we're
00:00
installing when we have a WordPress site?
00:00
Do we inspect the code and make sure that it's safe?
00:00
This is within the software deployment pipeline,
00:00
are we analyzing everything that we're using?
00:00
A lot of the time if
00:00
we're in a large enterprise, we're not,
00:00
just because there's so many things,
00:00
for lack of a better word, to track.
00:00
So many things are being updated,
00:00
so many things that we can only trust so much,
00:00
and if they're signed then we give them our trust.
00:00
Sometimes we don't even see if they're
00:00
signed or do any code review,
00:00
and that's what introduces this failure.
00:00
What are the factors here?
00:00
There's 10 CWEs mapped to this category,
00:00
you can see I put in pink that
00:00
the average weighted impact is one of
00:00
the highest. It's almost eight.
00:00
The exploitability is also somewhat high at 6.94.
00:00
You can see there's nearly 50,000 occurrences,
00:00
and there's 1,152 CVEs mapped to these 10 CWEs.
00:00
I encourage you to go to the link at
00:00
the bottom for the OWASP site to
00:00
see what all of this means in more detail, I should say.
00:00
Let's go over the CWEs,
00:00
you'll see insufficient verification
00:00
of data of authenticity,
00:00
missing support for integrity checks,
00:00
untrusted search path,
00:00
download of code without integrity checks.
00:00
There's our friend, deserialization of untrusted data,
00:00
again in 2017, I believe this was Number 8.
00:00
Reliance on cookies without
00:00
validation, integrity checking.
00:00
We'll see a little bit more of that later in an example.
00:00
Reliance on cookies without validation,
00:00
integrity checking, and a security decision.
00:00
Inclusion of functionality from untrusted control sphere,
00:00
inclusion of web functionality from an untrusted source.
00:00
You can see the word untrusted here a lot.
00:00
You can see lack of validation here a lot,
00:00
and properly controlled modification of
00:00
dynamically determined object attributes.
00:00
Again, if you want to check any of these out,
00:00
they're all on the Miter website,
00:00
for the CWE that you're looking for here,
00:00
for a deeper dive.
00:00
Recently there have been a number of
00:00
attacks on our supply chain.
00:00
Again, SolarWinds is a big one.
00:00
But if you're in the bug bounty world,
00:00
Alex Birsan should be a familiar name to you.
00:00
If not, he is an interesting guy,
00:00
he has found some very novel attacks.
00:00
I've linked his medium article,
00:00
it is a great read.
00:00
Basically what he did is,
00:00
a lot of enterprises are using NPM,
00:00
which is a package manager much like pip for Python,
00:00
or gem for Ruby,
00:00
for Node, they use npm.
00:00
He found through open source
00:00
means companies that use these packages.
00:00
Now companies typically use
00:00
an internal package management system,
00:00
something like Artifactory,
00:00
but some also just blindly install things.
00:00
Npm install, pip install, gem install,
00:00
and they were installing it from the public library.
00:00
Now the packages that existed in
00:00
the private Artifactory packages privately,
00:00
he would then take them over publicly in
00:00
the public repos and perform code execution,
00:00
and he did this with a great deal of success.
00:00
Again, I highly recommend you read his article here.
00:00
But he did this for
00:00
some large corporations and found that they were
00:00
incredibly vulnerable because a lot of developers
00:00
just downloaded what they thought
00:00
was the correct package,
00:00
when in fact it was not the correct package.
00:00
If an attacker can control these packages,
00:00
again, they can perform attack.
00:00
I took a look at something like this,
00:00
and I was able to get a reverse shell simply by creating
00:00
a public package that was poisoned or malicious,
00:00
and was able to execute a reverse shell with that.
00:00
An attacker that does take control of these packages and
00:00
poisons them is able to
00:00
do a whole bunch of malicious things.
00:00
A reverse shell is just one example,
00:00
download malware or crypto miners
00:00
are other examples as well.
00:00
Insecure deserialization.
00:00
Now this could be a whole talk onto itself
00:00
because it was it's own category back in 2017,
00:00
when it was Number 8 in the OWASP top 10.
00:00
Now I'm not a developer,
00:00
I am a hacker and I will probably do,
00:00
not the best job of explaining what
00:00
insecure deserialization is,
00:00
but when we're looking at serialization
00:00
we're looking at an object.
00:00
For example, let's say someone's entering their name,
00:00
and address, and phone number,
00:00
and that data is an object.
00:00
All the data that pertains that person,
00:00
maybe it's at a health insurance website,
00:00
they're entering all their information.
00:00
That serialized as an object,
00:00
and developers want to take that information that
00:00
the person enters and they want to save that to storage.
00:00
You can see cookies are another example
00:00
in this scenario too,
00:00
from OWASP top 10 in 2017.
00:00
Now it's put into a byte stream,
00:00
and for some reason it makes me think of
00:00
Willy Wonka and the Chocolate Factory,
00:00
with Wonka vision where you get
00:00
zapped and then you turn into
00:00
little particles in the byte stream,
00:00
and then you were made whole again.
00:00
Although they make them small in Willy Wonka,
00:00
but I guess more like a transporter in Star Trek,
00:00
where you go from whole form,
00:00
you're put into a byte stream,
00:00
and your deserialized,
00:00
and you are restructured back
00:00
again into that object somewhere else.
00:00
This is a type of injection attack.
00:00
You'll see in this example
00:00
here that is not an injection attack,
00:00
it's a super cookie,
00:00
and if an attacker is able to inject their own data into
00:00
this serialized object here,
00:00
they can basically perform privilege escalation,
00:00
which is actually not this vulnerability per se.
00:00
It reminds me more of
00:00
our Number 1 category in OWASP, broken access control.
00:00
The things you can do with insecure deserialization,
00:00
I guess in addition to
00:00
broken access control and escalating privileges,
00:00
is remote code execution.
00:00
An interesting attack back in 2017,
00:00
when they made this Number 8,
00:00
it was because of the community
00:00
survey that they added this.
00:00
It was not because of the data,
00:00
the data didn't back it up.
00:00
They felt like insecure deserialization,
00:00
there was not enough data to back
00:00
up having it in the top 10,
00:00
it's just enough people had selected it in a survey,
00:00
and that's why they included it in 2017.
00:00
Now it's been lumped into Number 8,
00:00
software and data integrity failures.
00:00
How do we test for this?
00:00
This is a really hard one to test for.
00:00
In the case of SolarWinds,
00:00
it is incredibly difficult to detect.
00:00
In the case of deserialization,
00:00
we have cheat sheets here,
00:00
like OWASP pass for white and black box testing.
00:00
Of course white box testing is
00:00
probably better so you can actually analyze
00:00
the code and see where
00:00
deserialization or serialization comes into play.
00:00
But as far as package management,
00:00
that's really hard to test for.
00:00
How do you know that?
00:00
Unless you're doing some kind of code review.
00:00
Again, maybe it's a WordPress plugin.
00:00
Are you analyzing that code?
00:00
In the case of Alex Birsan,
00:00
or people like him,
00:00
they're doing open source intelligence,
00:00
they're seeing what types of packages
00:00
companies may have internally,
00:00
and they're registering them on the public repos,
00:00
and poisoning them so that when a developer downloads at
00:00
public package they perform some "malicious action".
00:00
In the case of Alex Birsan,
00:00
it wasn't malicious, it was just emulating an attack.
00:00
But he was able to pull
00:00
workstation information through DNS exfiltration,
00:00
which is another really cool thing
00:00
because most enterprises are
00:00
not tracking the DNS protocol.
00:00
They're not tracking for exfiltration via DNS,
00:00
which they should be, because
00:00
that's not even a novel technique,
00:00
that's a very interesting technique that
00:00
a lot places don't monitor
00:00
for or don't properly
00:00
mitigate that type of exfiltration attack.
00:00
How do we prevent or remediate
00:00
software and data integrity failures?
00:00
Again, I'm sure you're using
00:00
trusted libraries and dependencies.
00:00
Verify the software is from expected sources,
00:00
are you just downloading it from any website?
00:00
Are you downloading from the proper website,
00:00
whatever software you are downloading.
00:00
Ensure there is a review process
00:00
for code and configuration changes.
00:00
Again, are you looking at that plugin for WordPress,
00:00
or Joomla, or Drupal,
00:00
are you ensuring that that plugin
00:00
is a non-malicious plug-in,
00:00
or that the code is in fact secure?
00:00
For insecure deserialization,
00:00
what you want to do to prevent that is
00:00
ensure that unsigned or unencrypted serialized data
00:00
is not sent to untrusted clients without some form of
00:00
integrity check or digital signature
00:00
to detect tampering or
00:00
replay of the serialized data
00:00
that was taken directly from that website down there,
00:00
for our top 10,
00:00
that is the guidance from OWASP.
00:00
We'll get to actually see
00:00
insecure deserialization, that will be in the lab.
00:00
It's a pretty cool attack as a hacker.
00:00
Again, I'm not a developer,
00:00
so I would encourage you,
00:00
I think PortSwigger does a great job
00:00
of explaining insecure deserialization.
00:00
They of course have their own labs that are pretty cool.
00:00
But I think the next lab is pretty cool.
00:00
It's not like the other labs where I
00:00
make you figure out what the answer is,
00:00
it's an open book test,
00:00
but I want you to get familiar with
00:00
insecure deserialization attacks and what they are.
00:00
I will do a demo on that.
00:00
I'll explain a little bit of that Burp Suite,
00:00
and the different extensions
00:00
that there are in Burp Suite.
00:00
But in summary we've described basically what
00:00
software and data integrity failures are, how to test,
00:00
even though it's very hard in terms
00:00
of package management and things like that,
00:00
how to test for software and data integrity failures,
00:00
and ways to remediate or prevent
00:00
software and data integrity failures.
Up Next
Scenario: The SolarWinds Breach
10m
Lab: Software and Data Integrity Failures
1h
Instructed By
