Dependency Confusion Attack

Hello readers, so today I’m gonna talk about Dependency Confusion Attack and how to perform this attack in the real world. This attack comes into the picture when the user wants to install any sort of package, library, repos, etc. from the internet. Usually, the user only needs to specify the name or source of the library, and the package manager handles download and installation on its own. These package managers have become simpler by abstracting the complex logic of managing packages from the user and leading to supply chain attacks.

Before we dwell more on the attack part let’s understand the basics of it.

1. What are the packages and dependencies?

So basically, a package is a module that can be added to any program to add additional options, features, or functionality. We have different package managers for all the OS, for example, if you want to install some libraries onto your Ubuntu machine to be done by “apt-get” something like this right? or if you have a macOS you install it using homebrew. We all might have seen GitHub tools that have a .txt file and usually contains all the latest modules and dependent packages. If you wanted to install some packages for particular languages like python, there’s this “pip” which is a python package manager and for node, it is “npm” so these are public registry npm js and python-pip you might have used it.

pip install package_name

So, for different programming languages, we have different package managers for themselves.

2. Public and Private registries

Talking about the public registries, we have one example “npm js” which has a lot of packages, of course, the public packages which you could download and use for your own personal reference, and there is a private package also but for that, you need to pay, you can host your own private repositories as well similarly there is this python package manager which has a public repository. So private registries are where you host your own created modules and the natural question that hits your mind is “Why would someone create a private registry?” So basically what happens is a lot of companies create their own modules which are consumed in-house and to consume this in-house they don’t want these to be publicly available because that’s their proprietary code so they host these packages on their own private registries. One of the most common hosting libraries or registries is “Verdaccio”.

3. Setting up a basic node project

Now we will be setting up a basic node project so that I could make you understand the Confusion Attack. So let’s take an example, I have created a basic node hello-world project, and here’s the package.json file so in this file we have all details, like the name of the package; its version, etc. The link to my project 👇

https://github.com/InfoSecAntara/Node-Hello-World

You can also create your own private npm repo with the following command

npm init

Create your own private repo

So yeah now we have a basic package or node program ready so every node program must have a “package.json” which you know that’s the “npm” what are different dependencies and what are different scripts that are the author license and everything.

4. Installing public dependencies, for example express js

So now let’s install public dependencies into it, maybe I want to install this express js so here’s the command you just have to copy and paste onto your terminal.

npm i express

installing Public repo

Cool, the packages are now locally installed onto your machine, so it would create a node module, and also add it into the dependencies, so if you would “ls -alh” you would see node modules.

Node modules installed

If you would remember the private repo we created and has the dependencies keys that were added in the “package.json” and it contains this express module so the version is also mentioned and there's a tag “^”, this an operator that’s a basic use case.

package.json

5. Creating and Publishing a npm package

So for creating our own private repos, we would be using the “verdaccio” platform, please watch the video below 👇

Reference:
https://github.com/verdaccio/verdaccio

install with: “npm install — global verdaccio@6-next — registry https://registry.verdaccio.org/

Get started with:- “verdaccio”

create a user and log in
“npm adduser — registry http://localhost:4873

publish your package
“npm publish — registry http://localhost:4873” → let’s create package 1st → command — “npm init”

For one-off commands or to avoid setting the registry globally:
“NPM_CONFIG_REGISTRY=http://localhost:4873 npm i”

6. Understanding Confusion Attack

Dependency Confusion Attack is basically when any user or automated build system tries to fetch the packages from the public registries and when these public registries are manipulated ones then instead of getting the actual package they would install the fake attacker's package from the public registry. Let’s have a look at the flowchart diagram.

flowchart explanation

You understand that the “npm i” command is being run and then npm looks for the “package.json” and then it checks whether the registry value is set or not, if the registry value is not set just like shown in the video above, so if found the variable is set it will accept the set value or else it will go for the public registry and fetched the required data, so here is an opportunity for a malicious actor to exploit, as when the registry value is not set, so by using the public registry manipulations with the same package name onto the public registry and make the victims to auto-install and also get it executed.

So, let’s host our newly created package onto the npm registry;

created own package to host on the npm registry

Let’s publish this package using the following command;

npm publish

package published
our own package

Our package is uploaded successfully, and now when any users will install this package they will be installing this malicious one. Further to this malicious malware scripts can also be written into these packages and attacking victims' machines.

the published package is installed

Thank you All for making out the time and reading this article.

Stay Tuned for another interesting attack!!

You can connect with me @https://github.com/InfoSecAntara

--

--

--

Antara is a passionate Information, Network Security Professional, Lead Auditor, and Cyber Security Researcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

New beginnings: Google 🌞 of Code

Lesser known but very useful features of create-react-app

Task 7 on Docker in JavaScript

10 JavaScript concept you should read again

Common Dilemma of using expo vs Vanilla React Native being solved.

Regular expressions are not boring

.convert

Understanding React Hooks by Building a Timer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Antara Mane

Antara Mane

Antara is a passionate Information, Network Security Professional, Lead Auditor, and Cyber Security Researcher.

More from Medium

Vulnhub: XSS AND MYSQL FILE (Walkthrough)

How I Reverse-Engineered one of the biggest GSM Operator’s application.

H1-CTF Hacky Holidays Writeup

The network data and utf-8 decoded text