Dependency Confusion is a vulnerability that allows attackers to exploit a weakness in the way that software dependencies are managed. Dependencies are external libraries or modules that a software application relies on to function. Dependency Confusion occurs when an attacker is able to introduce a malicious version of a dependency that the application is already using, and have the application use the malicious version instead of the legitimate one. This can allow the attacker to gain access to sensitive data, or execute arbitrary code on the affected system.
It is a vulnerability that has been found in the way some organizations manage their dependencies. It is used to upload malicious packages to internal package management systems, and it is based on the fact that these systems, such as npm and PyPI, will always prioritize internal packages over external ones.
Tools
Exploit
Look for npm
, pip
, gem
packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
NPM example
- List all the packages (ie: package.json, composer.json, …)
- Find the package missing from https://www.npmjs.com/
- Register and create a public package with the same name
- Package example : https://github.com/0xsapra/dependency-confusion-expoit