A08 — Software & Data Integrity Insecure

1000-ft view: these examples show what happens when you blindly trust updates, serialized input, remote configs, plugins, or CI/CD artifacts. The insecure flows skip hashes/signatures, allowlists, and safe formats — making supply-chain compromise trivial.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — Update Packages

no hash • no signature

Why it’s bad: installing an update archive without verifying integrity lets attackers slip in modified binaries/scripts.

  1. Click Install Update (insecure) — it installs blindly.
Install Update (insecure)

Attack 2 — Deserialization

unserialize($_POST['data'])

Why it’s bad: deserializing untrusted PHP payloads can trigger gadget chains and RCE.

  1. Post a PHP-serialized string (e.g., O:8:"stdClass":1:{s:4:"pwn";s:3:"yes";}).

Attack 3 — Remote Config

unverified source

Why it’s bad: pulling JSON from an arbitrary URL and applying it without integrity checks lets attackers rewrite app behavior.

  1. Provide a src URL and load it — no signature/HMAC required.

Attack 4 — Plugin Loader

upload & include()

Why it’s bad: allowing arbitrary PHP uploads in webroot and including them directly is instant RCE.

  1. Upload any .php file — the insecure loader will include it.

Attack 5 — CI/CD Artifact Trust

blind deploy

Why it’s bad: deploying a build zip without a signed manifest/attestation enables supply-chain injection.

  1. Upload a build zip — it will be unzipped into the app without checks.