Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dependency Confusion

2d1ae5ea9354a50d87b46f4503d11f4e?s=47 Tuhin Bose
September 03, 2021

Dependency Confusion


Tuhin Bose

September 03, 2021


  1. Exploiting Dependency Confusion By Tuhin Bose

  2. root@kali:~#whoami Bug Bounty Hunter CISO at DSPH Crowdsource Security Researcher

    at Detectify B. Tech in Cyber Security and Digital Forensics
  3. Conclusion & QNA Packages & Dependencies Public registry vs private

    registry Attacking Live Targets AGENDA Dependency Confusion Attack
  4. Packages and Dependencies

  5. The term "package" is used to describe code that's been

    made publicly available. A package can contain a single file or many files of code. Generally, a package helps you to add some functionality to your application. A dependency in programming is an essential functionality, library or piece of code that's essential for a different part of the code to work.
  6. None
  7. None
  8. Public registry vs private registry

  9. pypi.org npmjs.com requirements.txt package.json

  10. None
  11. Dependency Confusion

  12. What happens if malicious code is uploaded to npm under

    these names?
  13. Attacking Live Targets

  14. Step1: List all packages package.json js files For JS files,

    always look for the keyword require and import
  15. None
  16. Step2: Filter all private packages

  17. Step3: Publishing Your Package

  18. @tuhin1729 tuhinbose70@gmail.com