Mitigating OWASP Web Application Risk: Software and Data Integrity Failures using F5 XC Platform

Overview:

This article is a continuation of the series of articles on mitigation of OWASP Web Application vulnerabilities using F5 Distributed Cloud platform (F5 XC).

 

Introduction to OWASP Software and Data Integrity Failures:

Automating the software release process using CI/CD pipelines has helped organizations to significantly speed up their product delivery, reduce cost, apply updates/fixes in a short span of time etc. But at times to match up with frequent releases/updates security best practices are overlooked allowing attackers to infiltrate into the deployment pipeline and inject their malicious code eventually exposing end users to risk.

Software and data integrity failures is one of the newest categories added as part of OWASP Web App Top 10 list. This vulnerability occurs when updates are pushed to the deployment pipeline without verifying its integrity.

Insecure Deserialization, which was a separate category in OWASP 2017, has now become a part of this larger category set.

The above image depicts a possible attack scenario where the attacker comes up with an open-source repository embedding malicious code in it. As a part of an update, the compromised package is imported into the repository and is deployed in the production environment resulting a wide distribution of malicious code allowing attackers to sneak into the end user’s network.

Insecure Deserialization:

Before understanding insecure deserialization, we should first be aware of serialization and deserialization

‘Serialization’ is a process of converting objects or data structures into a convenient format to make its storage or transmission easier, it is used to preserve the current state of an object. On the other hand, ‘Deserialization’ is a process of reverting back the serialized output (byte stream) into its original form (object).

Now as we know about Serialization & Deserialization, we can start discussing insecure deserialization and how this vulnerability can pose a security concern.

Insecure Deserialization occurs when user inputs are deserialized by a website in an unsafe manner and attackers can take advantage of it by modifying serialized object content to misuse application logic for their benefit. It is also known as object injection vulnerability.

Now, it's time to have a look at the demonstration attack scenario and find out how F5 XC platform can help to mitigate this security event.

 

Demonstration:

For the purpose of this demonstration, we have already hosted a vulnerable application (XVWA) in an instance and are using F5 XC HTTP Load Balancer (LB) to route client requests to our vulnerable application server. To find out the configuration steps for the HTTP LB in F5 XC console follow this document.

Note: XVWA (Xtreme Vulnerable Web Application) is a buggy application written in PHP/MySQL for learning application security. For more information refer to the repository.

Attack Scenario: 

As you can see from the above screenshot, serialized data is added as a query parameter in the URL as soon as the button is clicked which hints the possibility of insecure deserialization vulnerability.

The below code snippet shows the web application’s implementation, as you can see in the code “unserialize()” method is used for unserializing user input parameter ‘r’ from the request, when unserialize method is called, “__wakeup()” method will automatically get triggered, “__wakeup()” method will check whether inject variable is set or not and performs an eval operation on inject value if “isset()” returns true.

Now, as we know the flow of execution, we can manipulate user request by crafting a serialized input to perform command injection attack

In the below code snippet, we have created same class, as we are aware that inject variable’s value will get executed as a PHP code, we have used system() method to execute OS commands on host operating system, at the end created an object of the class and printed serialized object value.

Serialized data explanation: [“O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('ps -ef'); ";}”]

‘O’ - Stands for Object, ‘18’ - Length of class name, ‘PHPObjectInjection’ - Class name, ‘1’ – Number of variables inside the class, ‘s’ – String, ‘6’ - Length of variable name, ‘inject’ – Variable name, ‘s’ – String, ‘17’ – Length of command, ‘system('ps -ef'); ";}’ - Command

Now, as we have custom serialized data, we can use it to perform command injection attack.

Below screenshot displays successful exploitation of vulnerability, as we got the list of running processes inside the server.

 

Prevention:

Step1: Login to F5 XC console and open the configuration page of your HTTP LB

Step2: Enable Web Application Firewall (WAF), create/configure WAF policy as per your need and add it to your LB. For this demonstration we did the configuration as below:

Step3: Repeat the attack scenario

As you can see from the above screenshot, the F5 XC WAF engine has successfully identified and mitigated the attack which could otherwise have impacted adversely.

At the end, monitor F5 XC Security Event Logs to get the details about the blocked attack

 

Conclusion:

With the ever-evolving threat landscape it has become critically important to securely manage your deployments. F5 XC security solution suite can help to achieve the same in a super simplified manner, as we have seen in the demonstration it only requires adding a default WAF policy in blocking mode to defeat the demo attack scenario.

 

References:

PHP methods used:

isset(): It determines if a variable is declared and is different than null. For more information refer to the documentation

eval(): It evaluates string as PHP code. For more information refer to the documentation

system(): It can be used to execute OS commands and display the output. For more information refer to the documentation

serialize(): It generates a storable representation of value. For more information refer to the documentation

unserialize(): It creates a php value from stored representation. For more information refer to the documentation

Magic Methods: They are the special methods which will override PHP's default action when certain actions are performed on an object (__wakeup() is one of the magic methods which will be called automatically when object is unserialized). For more information refer to the documentation

 

For more details, follow below links:

  1. OWASP Top 10 - 2021
  2. F5 Distributed Cloud WAAP
  3. Overview of OWASP Web Application Top 10 2021
Updated Jun 22, 2023
Version 4.0
No CommentsBe the first to comment