# Dependency Confusion

## Overview

Companies use internal registers for placing both internal and public dependencies. In other words, they try to make a single registries with all dependencies, where dependencies are added by company employees. The goal of this approach is to minimize dependence on public registries and, accordingly, reduce the likelihood that a compromised dependency will be used internally.

However, it is not always possible to prohibit absolutely all traffic to public registries. Therefore, if a package manager tries to find an internal dependency in a public registry when resolving it, this can lead to dependency confusion.

The attack develops along the following way:

* Company has an internal package named `internal-lib`.
* `internal-lib` is not placed within a public registry, such as pypi, npm, rubygems, and etc.
* An attacker crafts a package that executes arbitrary code during installation and uploads it to a public registry as `internal-lib`.
* A package manager uses `internal-lib` from a public registry during installation that leads to code execution.

{% embed url="<https://0xsapra.github.io/website//Exploiting-Dependency-Confusion>" %}

## How to execute code during installation?

{% embed url="<https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/parameters-injection>" %}

## Tips

### Data collection

To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, you can collect the following data:

* username
* hostname
* current path

Along with the external IPs, there should be enough data to help security teams identify potentially vulnerable systems and avoid mistaking testing as a real attack.

### Data retrieval

Since most of the possible targets lie deep within well-protected corporate networks, DNS exfiltration is the best way to retrieve collected data. Send hex-encoded data as a part of a DNS query to a custom authoritative name server. You can use the following resources to implement DNS exfiltration:

* [1u.ms](https://github.com/neex/1u.ms) is a small set of zero-configuration DNS utilities that provide easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents
* [Interactsh](https://github.com/projectdiscovery/interactsh) is an OOB interaction gathering server and client library

## References

* [Writeup: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
* [Report: Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org](https://hackerone.com/reports/1104874)
* [Geek Freak: Dependency Confusion](https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/)
* [Writeup: RyotaK's Blog - Remote code execution in cdnjs of Cloudflare](https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/)
* [Black Hat EU 2021 - Picking Lockfiles: Attacking and Defending Your Supply Chain](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/red-team-tech-notes/-/tree/master/blackhat-eu-2021-picking-lockfiles)
* [DustiLock](https://github.com/Checkmarx/dustilock) is a tool to find which of your dependencies is susceptible to a Dependency Confusion attack.
* [Confuser](https://github.com/doyensec/confuser) is a tool to detect Dependency Confusion vulnerabilities that allows scanning `packages.json` files, generating and publishing payloads to the NPM repository, and finally aggregating the callbacks from vulnerable targets.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xn3va.gitbook.io/cheat-sheets/ci-cd/dependency/dependency-confusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.