Slide 1

Slide 1 text

Exploiting Dependency Confusion By Tuhin Bose

Slide 2

Slide 2 text

root@kali:~#whoami Bug Bounty Hunter CISO at DSPH Crowdsource Security Researcher at Detectify B. Tech in Cyber Security and Digital Forensics

Slide 3

Slide 3 text

Conclusion & QNA Packages & Dependencies Public registry vs private registry Attacking Live Targets AGENDA Dependency Confusion Attack

Slide 4

Slide 4 text

Packages and Dependencies

Slide 5

Slide 5 text

The term "package" is used to describe code that's been made publicly available. A package can contain a single file or many files of code. Generally, a package helps you to add some functionality to your application. A dependency in programming is an essential functionality, library or piece of code that's essential for a different part of the code to work.

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Public registry vs private registry

Slide 9

Slide 9 text

pypi.org npmjs.com requirements.txt package.json

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Dependency Confusion

Slide 12

Slide 12 text

What happens if malicious code is uploaded to npm under these names?

Slide 13

Slide 13 text

Attacking Live Targets

Slide 14

Slide 14 text

Step1: List all packages package.json js files For JS files, always look for the keyword require and import

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

Step2: Filter all private packages

Slide 17

Slide 17 text

Step3: Publishing Your Package

Slide 18

Slide 18 text

@tuhin1729 [email protected]