🛠 Semgrep Rules OWASP A08:2024 – Software and Data Integrity Failures

Salute,

Today I want to share with you the rules for semgrep on software and data integrity violations - OWASP A08:2024.

This is a category that includes “Insecure Deserialization,” where the application does not verify the integrity of code, data, or updates, allowing malware to be introduced or data to be modified.

Typical A08 attack vectors

• Insufficient authentication and loading of code from untrusted sources

• Insecure deserialization, including tampering with objects in memory. Danger in Remote Code Execution through serialized objects.

• Lack of integrity checking, for example the use of a CDN without SRI (Subresource Integrity) and updates without validation.

Examples of attacks

• SolarWinds (2020): attackers hacked the SolarWinds CI/CD pipeline and introduced a backdoor into the Orion update, where US federal agencies installed it directly

• 3CX Desktop App (2023): attackers compromised the official version of the 3CX application by adding malware to it

• Codecov (2021): an attack on the Codecov Docker image build process, where a modified bash script stole credentials, tokens and PII from users’ CI/CD environments

Example attack scenario

• Unsafe Deserialization in Java

// React calls Spring Boot microservices where the state

// user is serialized and passed with every request

// Java signature "rO0" (base64) is tracked, where

// implements Java Serial Killer for RCE

ObjectInputStream in = new ObjectInputStream(request.getInputStream());

UserState state = (UserState) in.readObject();

• JS from untrusted sources

<!-- No SRI and integrity check -->

<script src="https://untrusted-cdn.com/library.js"></script>

Example of Semgrep rules according to A08:2024

rules:

# Unsafe Java deserialization

- id: unsafe-java-deserialization

patterns:

- pattern-either:

- pattern: |

ObjectInputStream $IN = new ObjectInputStream(...);

...

$IN.readObject()

- pattern: (ObjectInputStream $IN).readObject()

- pattern-not-inside: |

class $CLASS extends ValidatingObjectInputStream {

...

}

message: |

Unsafe deserialization detected via JAVA ObjectInputStream

and can lead to Remote Code Execution.

severity: ERROR

languages:

- java

meta

cwe: "CWE-502"

owasp: "A08:2021"

category: security

# npm packages without checking

- id: npm-install-without-lock-file

patterns:

- pattern-either:

- pattern: |

exec("npm install...")

- pattern: |

subprocess.run(["npm", "install", ...])

- pattern: |

os.system("npm install ...")

- pattern-not-inside: |

...

"package-lock.json"

...

message: |

Installing npm packages without checking package-lock.json

severity: WARNING

languages:

- python

- javascript

meta

cwe: "CWE-829"

owasp: "A08:2021"

# Dynamic code execution from untrusted sources

- id: dangerous-code-execution

patterns:

- pattern-either:

- pattern: eval($INPUT)

- pattern: exec($INPUT)

- pattern: __import__($INPUT)

- pattern: compile($INPUT, ...)

- pattern-either:

- pattern-inside: |

$INPUT = request.$METHOD(...)

...

- pattern-inside: |

$INPUT = $_GET[...]

...

- pattern-inside: |

$INPUT = input(...)

...

message: |

Dynamic code execution from an untrusted source

eval()/ exec() on data leading to Remote Code Execution

severity: ERROR

languages:

- python

- javascript

- php

meta

cwe: "CWE-94"

owasp: "A08:2021"

likelihood: MEDIUM

impact: CRITICAL

#toolchain #sast #appsec #course #reco #techsolution