1/ Introduction π
Dependency Confusion occurs when software installer script is tricked into pulling malicious code file from public repository.
How I found this bug?
Dependency Confusion occurs when software installer script is tricked into pulling malicious code file from public repository.
How I found this bug?
2/ Recon π¦
1β£ I started with some Shodan recon and I found a IP that belongs to TARGET.
2β£ Using directory brute forcing tools like Dirsearch and FFUF, I found a package.json file contained all the packages which was installed in the server.
URL: /ui/package.json
1β£ I started with some Shodan recon and I found a IP that belongs to TARGET.
2β£ Using directory brute forcing tools like Dirsearch and FFUF, I found a package.json file contained all the packages which was installed in the server.
URL: /ui/package.json
3/ Dependency Confusion π‘
Using tool called Confused, I found that βspr-svg-loadersβ package was not in npm public repository.
You can verify the same by going to npm website and searching for the package name.
github.com/visma-prodsec/β¦
Using tool called Confused, I found that βspr-svg-loadersβ package was not in npm public repository.
You can verify the same by going to npm website and searching for the package name.
github.com/visma-prodsec/β¦
4/ I am Evil π
Create a malicious package with the package name and upload it to public npm repository.
After publishing the package we can verify it with npm repository.
Create a malicious package with the package name and upload it to public npm repository.
After publishing the package we can verify it with npm repository.
5/ Bounty Time π€
Within few hours of uploading the packages, I received ping-back with few data like hostname, directory, ipaddress, username to my interact.sh server.
Within few hours of uploading the packages, I received ping-back with few data like hostname, directory, ipaddress, username to my interact.sh server.
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
