/DeepConfusion

Simple bash dependency confusion checker (npm, python and ruby)

Primary LanguageShell

DeepConfusion

Simple bash dependency confusion checker that parse package.json, requirements.txt and Gemfile files and check if npm, python or ruby packages are public or private by searching them in npm, pypi and rubygems public registry.

Prerequisites

  • npm
  • jq
  • curl
  • awk
  • sort
  • sed
  • tr
  • cut
  • xargs
  • httpx

Install:

$ git clone https://github.com/mathis2001/DeepConfusion
$ cd DeepConfusion
$ chmod +x deepconfusion.sh

Usage:

$ ./deepconfusion path/to/package.json or requirements.txt or Gemfile

Screenshots

image image

Exploit (After finding a private module)

npm

You can find the private packages found in the generated confusion.txt file, then:

  • Check in the original package.json file if their is a ^ or a ~ before the version (if yes it is vulnerable)
  • Take the package.json template prensent in the "ExploitFiles" directory.
  • Replace the name by one of the packages found and preinstall value by your domain.
  • Replace the version value by a latest than the private module.
  • Publish it in the npm public registry.

Python

  • If one of the packages give an error 404, it might be vulnerable to dependency confusion.
  • Go to the "ExploitPy" repository and build the package.
$ python3 setup.py sdist bdist_wheel
$ twin upload dist/*

Help: https://s1rn3tz.gitbook.io/notes/pentest-web/dependency-confusion

Ruby

  • If one of the packages give an error 404, it might be vulnerable to dependency confusion.
  • Create a new package.
$ bundle gem <package_name>
  • Go to the created repository.
$ cd <package_name>

  • Copy the .gem file from the ExploitGem repository in the newly created file and replace the needed information.

  • Then go to the lib repository.

$ cd lib

  • Replace the content of the .rb file with the one of the "ExploitGem" repository.

  • Go back to the main repository and build the package.

$ cd ..
$ gem build <package_name>.gemspec
$ gem push <package_name>-9.9.9.gem

To Do

  • Addisionnal validation for depreciated packages
  • Remove of false positives like (name, version detected as packages...)
  • Add requirements.txt check for python dependency confusion
  • Add Gemfile check for ruby dependency confusion