#@ck3r
  • Welcome
  • Administrator
    • ActiveDirectory
      • Methodology
    • LDAP
    • Kerberos
  • HTB_CTF
    • It's Oops PM
  • 🕸️ Pentesting Web
    • Web Vulnerabilities Methodology
      • Reflecting Techniques - PoCs and Polygloths CheatSheet
        • Web Vulns List
    • 2FA/MFA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning via URL discrepancies
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
      • Cookie Tossing
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
  • Dangling Markup - HTML scriptless injection
  • Dependency Confusion
  • Deserialization
    • NodeJS - __proto__ & prototype Pollution
      • Client Side Prototype Pollution
      • Express Prototype Pollution Gadgets
      • Prototype Pollution to RCE
    • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    • Exploiting __VIEWSTATE without knowing the secrets
    • Python Yaml Deserialization
    • JNDI - Java Naming and Directory Interface & Log4Shell
    • Ruby Class Pollution
  • Page 1
Powered by GitBook
On this page
  • Basic Information
  • Exploitation
  • AWS Fix
  • Finding Vulnerable Libraries
  • References

Dependency Confusion

PreviousDangling Markup - HTML scriptless injectionNextDeserialization

Last updated 3 months ago

Reading time: 3 minutes

In summary, a dependency confusion vulnerability occurs when a project is using a library with a misspelled name, inexistent or with an unspecified version and the used dependency repository allows to gather updated versions from public repositories.

  • Misspelled: Import reqests instead of requests

  • Inexistent: Import company-logging, an internal library which no longer exists

  • Unspecified version: Import an internal existent company-requests library , but the repo check public repos to see if there are greater versions.

In all cases the attacker just need to publish a malicious package with name of libraries used by the victim company.

If your company is trying to import a library that isn't internal, highly probably the repo of libraries is going to be searching for it in public repositories. If an attacker has created it, your code and machines running is highly probably going to be compromised.

It's very common for developers to not specify any version of the library used, or specify just a major version. Then, the interpreter will try to download the latest version fitting those requirements. If the library is a known external library (like python requests), an attacker cannot do much, as he won't be able to create a library called requests (unless he is the original author). However, if the library is internal, like requests-company in this example, if the library repo allows to check for new versions also externally, it will search for a newer version publicly available. So if an attacker knows that the company is using the requests-company library version 1.0.1 (allow minor updates). He can publish the library requests-company version 1.0.2 and the company will use that library instead of the internal one.

This vulnerability was found in AWS CodeArtifact (read the ). AWS fixed this by allowing to specify if a library is internal or external, to avoid downloading internal dependencied from external repositories.

In the the author searched for thousands of exposed package.json files containing javascript project’s dependencies.

Basic Information
Exploitation
Misspelled & Inexistent
Unspecified Version
AWS Fix
details in this blog post
Finding Vulnerable Libraries
original post about dependency confusion
References
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d