CAPEC-695

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Repo Jacking

Description

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

Prerequisites

Identification of a popular repository that may be directly referenced in numerous software applications

A repository owner/maintainer who has recently changed their username or deleted their account

Mitigations

Leverage dedicated package managers instead of directly linking to VCS repositories.

Utilize version pinning and lock files to prevent use of maliciously modified repositories.

Implement "vendoring" (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.

Leverage automated tools, such as Checkmarx's "ChainJacking" tool, to determine susceptibility to Repo Jacking attacks.

Skills Required

[Low] Ability to create an account on a VCS hosting site and recreate an existing directory structure.

[Low] Ability to create malware that can exploit various software applications.