💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Overview
  • How to execute code during installation?
  • Tips
  • Data collection
  • Data retrieval
  • References
  1. CI/CD
  2. Dependency

Dependency Confusion

PreviousDependencyNextDependency Hijaking

Last updated 2 years ago

Overview

Companies use internal registers for placing both internal and public dependencies. In other words, they try to make a single registries with all dependencies, where dependencies are added by company employees. The goal of this approach is to minimize dependence on public registries and, accordingly, reduce the likelihood that a compromised dependency will be used internally.

However, it is not always possible to prohibit absolutely all traffic to public registries. Therefore, if a package manager tries to find an internal dependency in a public registry when resolving it, this can lead to dependency confusion.

The attack develops along the following way:

  • Company has an internal package named internal-lib.

  • internal-lib is not placed within a public registry, such as pypi, npm, rubygems, and etc.

  • An attacker crafts a package that executes arbitrary code during installation and uploads it to a public registry as internal-lib.

  • A package manager uses internal-lib from a public registry during installation that leads to code execution.

How to execute code during installation?

Tips

Data collection

To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, you can collect the following data:

  • username

  • hostname

  • current path

Along with the external IPs, there should be enough data to help security teams identify potentially vulnerable systems and avoid mistaking testing as a real attack.

Data retrieval

Since most of the possible targets lie deep within well-protected corporate networks, DNS exfiltration is the best way to retrieve collected data. Send hex-encoded data as a part of a DNS query to a custom authoritative name server. You can use the following resources to implement DNS exfiltration:

References

is a small set of zero-configuration DNS utilities that provide easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents

is an OOB interaction gathering server and client library

is a tool to find which of your dependencies is susceptible to a Dependency Confusion attack.

is a tool to detect Dependency Confusion vulnerabilities that allows scanning packages.json files, generating and publishing payloads to the NPM repository, and finally aggregating the callbacks from vulnerable targets.

1u.ms
Interactsh
Writeup: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Report: Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org
Geek Freak: Dependency Confusion
Writeup: RyotaK's Blog - Remote code execution in cdnjs of Cloudflare
Black Hat EU 2021 - Picking Lockfiles: Attacking and Defending Your Supply Chain
DustiLock
Confuser
Exploiting Dependency ConfusionAman sapra Blog
Parameters Injectioncheat-sheets
Logo