PayloadsAllTheThings/Dependency Confusion/README.md
2024-11-28 21:36:01 +01:00

1.9 KiB

Dependency Confusion

A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.

Summary

Tools

  • visma-prodsec/confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems

Methodology

Look for npm, pip, gem packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.

  • DockerHub: Dockerfile image
  • JavaScript (npm): package.json
  • MVN (maven): pom.xml
  • PHP (composer): composer.json
  • Python (pypi): requirements.txt

NPM Example

References