mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
1.8 KiB
1.8 KiB
Dependency Confusion
A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
Summary
Tools
- visma-prodsec/confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems
Methodology
Look for npm
, pip
, gem
packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
NPM Example
- List all the packages (ie: package.json, composer.json, ...)
- Find the package missing from https://www.npmjs.com/
- Register and create a public package with the same name
- Package example : https://github.com/0xsapra/dependency-confusion-expoit
References
- Exploiting Dependency Confusion - Aman Sapra (0xsapra) - 2 Jul 2021
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021
- 3 Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021
- $130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained - 22 févr. 2021