Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dependency Confusion

Avatar for Tuhin Bose Tuhin Bose
September 03, 2021
Technology
0
730

Dependency Confusion

Avatar for Tuhin Bose

Tuhin Bose

September 03, 2021
Tweet

More Decks by Tuhin Bose

See All by Tuhin Bose
Wordpress Security
Avatar for Tuhin Bose tuhin1729
1
1.4k
Account Takeover via Exploiting Misconfigured Password Reset Feature
Avatar for Tuhin Bose tuhin1729
2
2.3k
Abusing Password Reset Functionality
Avatar for Tuhin Bose tuhin1729
0
800
2 Factor Authentication Bypass
Avatar for Tuhin Bose tuhin1729
1
1.1k

Other Decks in Technology

See All in Technology
営業向け誰でも話せるOCIセールストーク
Avatar for oracle4engineer oracle4engineer
PRO
2
130
Как мы автоматизировали интеграционное тестирование с Gonkey и не пожалели. Паша Егорычев, Кирилл Поляков
Avatar for Lamoda Tech lamodatech
0
620
Twelve-Factor-Appから学ぶECS設計プラクティス/ECS practice for Twelve-Factor-App
Avatar for k-ozawa ozawa
3
150
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
25k
企業が押さえるべきMCPの未来
Avatar for TakaakiKakei takaakikakei
0
220
テストって楽しい!開発を加速させるテストの魅力 / Testing is Fun! The Fascinating of Testing to Accelerate Development
Avatar for END aiandrox
0
150
MCPを理解する
Avatar for Yudai Hayashi yudai00
12
7.9k
Новые мапы в Go. Вова Марунин, Clatch, МТС
Avatar for Lamoda Tech lamodatech
0
590
Aspire をカスタマイズしよう & Aspire 9.2
Avatar for neno nenonaninu
0
330
意思決定を支える検索体験を目指してやってきたこと
Avatar for Taisuke Hinata hinatades
PRO
0
350
AIとSREで「今」できること
Avatar for HonMarkHunt honmarkhunt
3
640
Linuxのパッケージ管理とアップデート基礎知識
Avatar for Go Nishimoto go_nishimoto
0
690

Featured

See All Featured
The Language of Interfaces
Avatar for Des Traynor destraynor
157
25k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
104
19k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.2k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
2.9k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.6k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
693
190k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
Code Review Best Practice
Avatar for Trisha Gee trishagee
67
18k

Transcript

  1. Exploiting Dependency Confusion By Tuhin Bose

  2. root@kali:~#whoami Bug Bounty Hunter CISO at DSPH Crowdsource Security Researcher

    at Detectify B. Tech in Cyber Security and Digital Forensics

  3. Conclusion & QNA Packages & Dependencies Public registry vs private

    registry Attacking Live Targets AGENDA Dependency Confusion Attack

  4. Packages and Dependencies

  5. The term "package" is used to describe code that's been

    made publicly available. A package can contain a single file or many files of code. Generally, a package helps you to add some functionality to your application. A dependency in programming is an essential functionality, library or piece of code that's essential for a different part of the code to work.
  6. None
  7. None

  8. Public registry vs private registry

  9. pypi.org npmjs.com requirements.txt package.json

  10. None

  11. Dependency Confusion

  12. What happens if malicious code is uploaded to npm under

    these names?

  13. Attacking Live Targets

  14. Step1: List all packages package.json js files For JS files,

    always look for the keyword require and import
  15. None

  16. Step2: Filter all private packages

  17. Step3: Publishing Your Package

  18. @tuhin1729 [email protected]