Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dependency Confusion

Tuhin Bose
September 03, 2021
Technology
0
710

Dependency Confusion

Tuhin Bose

September 03, 2021
Tweet

More Decks by Tuhin Bose

See All by Tuhin Bose
Wordpress Security
tuhin1729
1
1.4k
Account Takeover via Exploiting Misconfigured Password Reset Feature
tuhin1729
2
2.1k
Abusing Password Reset Functionality
tuhin1729
0
700
2 Factor Authentication Bypass
tuhin1729
1
1.1k

Other Decks in Technology

See All in Technology
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
130
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
27
12k
ガバメントクラウド先行事業中間報告を読み解く
sugiim
1
1.5k
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
スプリントゴールにチームの状態も設定する背景とその効果 / Team state in sprint goals why and impact
kakehashi
2
100
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
運用イベント対応への生成AIの活用 with Failure Analysis Assistant
suzukyz
0
120
「視座」の上げ方が成人発達理論にわかりやすくまとまってた / think_ perspective_hidden_dimensions
shuzon
2
6.1k
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
150

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Docker and Python
trallard
40
3.1k
Rails Girls Zürich Keynote
gr2m
93
13k
The Language of Interfaces
destraynor
154
24k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
Visualization
eitanlees
144
15k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Gamification - CAS2011
davidbonilla
80
5k
Done Done
chrislema
181
16k

Transcript

  1. Exploiting Dependency Confusion By Tuhin Bose

  2. root@kali:~#whoami Bug Bounty Hunter CISO at DSPH Crowdsource Security Researcher

    at Detectify B. Tech in Cyber Security and Digital Forensics

  3. Conclusion & QNA Packages & Dependencies Public registry vs private

    registry Attacking Live Targets AGENDA Dependency Confusion Attack

  4. Packages and Dependencies

  5. The term "package" is used to describe code that's been

    made publicly available. A package can contain a single file or many files of code. Generally, a package helps you to add some functionality to your application. A dependency in programming is an essential functionality, library or piece of code that's essential for a different part of the code to work.
  6. None
  7. None

  8. Public registry vs private registry

  9. pypi.org npmjs.com requirements.txt package.json

  10. None

  11. Dependency Confusion

  12. What happens if malicious code is uploaded to npm under

    these names?

  13. Attacking Live Targets

  14. Step1: List all packages package.json js files For JS files,

    always look for the keyword require and import
  15. None

  16. Step2: Filter all private packages

  17. Step3: Publishing Your Package

  18. @tuhin1729 [email protected]