Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dependency Confusion

Tuhin Bose
September 03, 2021
Technology
0
710

Dependency Confusion

Tuhin Bose

September 03, 2021
Tweet

More Decks by Tuhin Bose

See All by Tuhin Bose
Wordpress Security
tuhin1729
1
1.4k
Account Takeover via Exploiting Misconfigured Password Reset Feature
tuhin1729
2
2.1k
Abusing Password Reset Functionality
tuhin1729
0
710
2 Factor Authentication Bypass
tuhin1729
1
1.1k

Other Decks in Technology

See All in Technology
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
120
ドメイン名の終活について - JPAAWG 7th -
mikit
33
20k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Adopting Sorbet at Scale
ufuk
73
9.1k
GitHub's CSS Performance
jonrohan
1030
460k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
GraphQLとの向き合い方2022年版
quramy
43
13k
Happy Clients
brianwarren
98
6.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
What's in a price? How to price your products and services
michaelherold
243
12k
Building an army of robots
kneath
302
43k

Transcript

  1. Exploiting Dependency Confusion By Tuhin Bose

  2. root@kali:~#whoami Bug Bounty Hunter CISO at DSPH Crowdsource Security Researcher

    at Detectify B. Tech in Cyber Security and Digital Forensics

  3. Conclusion & QNA Packages & Dependencies Public registry vs private

    registry Attacking Live Targets AGENDA Dependency Confusion Attack

  4. Packages and Dependencies

  5. The term "package" is used to describe code that's been

    made publicly available. A package can contain a single file or many files of code. Generally, a package helps you to add some functionality to your application. A dependency in programming is an essential functionality, library or piece of code that's essential for a different part of the code to work.
  6. None
  7. None

  8. Public registry vs private registry

  9. pypi.org npmjs.com requirements.txt package.json

  10. None

  11. Dependency Confusion

  12. What happens if malicious code is uploaded to npm under

    these names?

  13. Attacking Live Targets

  14. Step1: List all packages package.json js files For JS files,

    always look for the keyword require and import
  15. None

  16. Step2: Filter all private packages

  17. Step3: Publishing Your Package

  18. @tuhin1729 [email protected]