Corgea LogoCorgea Security Hub

CWE-353: Missing Support for Integrity Check

Learn about CWE-353 (Missing Support for Integrity Check), its security impact, exploitation methods, and prevention guidelines.

What is Missing Support for Integrity Check?

• Overview: Missing Support for Integrity Check (CWE-353) occurs when a transmission protocol lacks a mechanism such as a checksum to verify data integrity during transmission, leaving no way to detect data corruption.

• Exploitation Methods:

  • Attackers can inject or alter data during transmission without detection.
  • Common attack patterns include man-in-the-middle attacks where data is modified in transit.

• Security Impact:

  • Direct consequences include data corruption and unauthorized data manipulation.
  • Potential cascading effects include incorrect data processing and decision-making based on tampered data.
  • Business impact can involve loss of data integrity, leading to reputational damage and financial losses.

• Prevention Guidelines:

  • Implement checksums or cryptographic hashes to verify data integrity.
  • Follow security best practices by using protocols with built-in integrity checks like TLS.
  • Use recommended tools and frameworks that support data integrity verification, such as libraries offering cryptographic functions.

Corgea can automatically detect and fix Missing Support for Integrity Check in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

JavaScript Example

// This function sends data to a server using an HTTP POST request.
// However, it does not implement any mechanism to verify the integrity
// of the data during transmission, making it vulnerable to manipulation.
function sendData(url, data) {
    // Convert data to JSON and send it using Fetch API
    fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify(data) // No integrity check on the data being sent
    }).then(response => response.json())
      .then(data => console.log('Data sent:', data))
      .catch(error => console.error('Error:', error));
}

Explanation of the Vulnerability

  • Lack of Integrity Verification: The function sendData sends JSON data to the server without any mechanism to ensure the data's integrity. This makes it susceptible to man-in-the-middle attacks where the data can be altered during transmission.

How to fix Missing Support for Integrity Check?

To fix this vulnerability, you need to implement a mechanism to verify the integrity of data during transmission. One common approach is to use a hash-based message authentication code (HMAC). An HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. It ensures data integrity and authenticity by allowing the receiver to verify that the data has not been tampered with during transmission.

Steps to Implement HMAC:

  1. Generate a Secret Key: Use a secure method to generate and store a secret key that will be used to create the HMAC.
  2. Create the HMAC: Use a cryptographic library to generate an HMAC for the data being sent.
  3. Send the HMAC Alongside the Data: Include the HMAC in the headers or body of the request.
  4. Verify the HMAC on the Server: The server should use the same secret key to compute the HMAC for the received data and compare it with the received HMAC to ensure integrity.

Fixed Code Example

// Fixed function that includes integrity checks using HMAC.
const crypto = require('crypto'); // Import crypto module for HMAC generation

function sendDataWithHmac(url, data, secretKey) {
    // Generate HMAC for the data
    const hmac = crypto.createHmac('sha256', secretKey).update(JSON.stringify(data)).digest('hex');

    // Convert data to JSON and send it with the HMAC
    fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
            'X-Data-HMAC': hmac // Sending HMAC in headers for integrity check
        },
        body: JSON.stringify(data)
    }).then(response => response.json())
      .then(data => console.log('Data sent and verified:', data))
      .catch(error => console.error('Error:', error));
}

Explanation of the Fix

  • HMAC Generation: We use the crypto module to generate an HMAC for the data. The createHmac function creates a hash using the sha256 algorithm and a secretKey.
  • Integrity Verification: The HMAC is included in the request headers, which allows the server to verify the integrity of the data upon receipt.

This approach ensures that any alteration in the data during transmission will result in a mismatch of the HMAC, allowing the server to detect potential tampering.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-353: Missing Support for Integrity Check and get remediation guidance

Start for free and no credit card needed.