How I approached Dependency Confusion!
Hi People,
Hope you are doing good, I know I took a little longer to publish this blog, so apologies there.
In this blog, I will be sharing my approach for finding Dependency Confusion bugs. This blog is totally inspired by Alex Birsan's finding on Dependency confusion.
Let’s Begin! :)
# What is Dependency Confusion?
A Dependency Confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
Case Study
It was an interesting find when the blog was published and unknown to the internet which attracted many eyes and I was also one of many who wanted to find a dependency confusion bug.
Dependency confusion bugs can be reported when you found a package that is not listed in the public source directory and is still getting installed. Some languages where this vulnerability can be found are python, npm, ruby, etc...
The major bugs which I reported were npm-based dependencies.
#How to identify a vulnerable package?
Look for package names under dependencies or devDependencies in package.json file
Package name: azuretestpackage
Navigate to https://www.npmjs.com/package/azuretestpackage and it will show that the package is not present in npmjs directory and that makes it available to takeover.
The Approach for finding packages
- finding /package.json file on subdomains.
To look for this file on subdomains I used nuclei, as a template was already present in the nuclei-templates repository, and without wasting time…
