Malicious Middleware in .NET Example

External open source packages can be found in any software nowadays. Whether it is a private project or large enterprise software, it has become virtually impossible to develop software without external open source components.

OpenSource packages are usually distributed via package managers such as NuGet. For some time now, this has opened up a new attack vector for potential attackers to use cloaked packages to get directly into the application and, thus, usually into the company's heart.

While most articles focus on how potential hackers might attack your application from the outside (e.g., with SQL Injection, CSRF, etc.), this article shows how easy it is to gain information access from the inside.

For example, a malicious package that disguisedly includes useful functionality for advanced logging of HTTP requests could simultaneously send all requests to an external server and thus leak all communication within the application.

For a workshop series, I have created a middleware example with the attack mentioned above to raise attention to this important topic further.

You can find a working copy of the code here.

Idea

  1. Put malicious code inside the functionality. We use a post-request that sends the requests/ response to another server.
  2. Publish and rollout middleware component with NuGet and wait for victims

Idea realization

  1. Use the middleware solution from my previous article and integrate it into a client application.
  2. Extend middleware not only to log the requests/ response but also send it to the Web API endpoint

4. Publish the package via NuGet

Summary

Even if the attack is detected via network monitoring, some time will have passed by then. The simplicity of the code shows how much dangerous potential is still hidden here. For example, the attack code could check whether it is on a test or production environment to be detected even later.

Every development team should be aware of the circumstance and thoroughly check used packages. Even if GitHub and co introduce mechanisms to identify threats, the potential for danger is still great.

Entrepreneur — technologist — passionate leader