Dependency Confusion as an Attack Vector (Cybersecurity heads-up!)

preview_player
Показать описание
This is a quick cybersecurity-related rant. Or rather, a short shoutout to get you to check this latest attack that's out there, using developer laptops and CICD pipelines as an attack vector. Do you have a security tool scanning your packages for known vulnerabilities as a part of your pipeline? Nice, but it's not going to protect you.

If you don't know the term 'dependency confusion' yet - time to read about it. You can watch my short video as an intro, then educate yourself with the links below. Believe me, this is a nasty one, and every software dev should know about this, pretty much.

Here are the links in this video:

  1. DevXplaining
  2. hacking
  3. security
  4. zeroday
  5. cybersecurity
  6. cicd
Рекомендации по теме
Dependency Confusion Explained 0:08:03

Dependency Confusion Explained - New Supply Chain Attack

Dependency Confusion with 0:16:16

Dependency Confusion with AWS CodeArtifact

Dependency Confusion in 0:03:20

Dependency Confusion in 3 minutes with PoC

Dependency Confusion Attack 0:03:44

Dependency Confusion Attack to RCE PoC🔥 #makeYourFirstRCE

Dependency Confusion Attack: 0:08:11

Dependency Confusion Attack: How Apple, Microsoft and Other Companies Were Compromised

Dependency Confusion | 0:02:20

Dependency Confusion | Bug Bounty POC | Lazy Pentester

$130,000+ Learn New 0:11:12

$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained

What Is dependency 0:07:31

What Is dependency confusion | How to Find dependency confusion | Live Practical

What is Dependency 0:00:46

What is Dependency Confusion?

Python Dependency Confusion 0:17:23

Python Dependency Confusion (Demystified)

Dependency Confusion as 0:08:21

Dependency Confusion as an Attack Vector (Cybersecurity heads-up!)

Package Dependency Confusion 0:33:37

Package Dependency Confusion Vulnerability | Advance Bug Bounty Tutorials | Hindi🔥Part 1 #bugbounty...

All about Dependency 0:02:47

All about Dependency Confusion(Substitution Attack) | Episode0x5 | CyberWeekly Serices

Dependency Confusion: POC 0:10:44

Dependency Confusion: POC upload tutorial for npm & live Attack Demonstration

Dependency Confusion Pt. 0:11:24

Dependency Confusion Pt. 2 | Final Part | Exploiting Dependency Injection

NPM Dependency Confusion 0:03:54

NPM Dependency Confusion How I Achieved Remote Code Execution | Bug Bounty POC

Part 2 Package 0:13:05

Part 2 Package Dependency Confusion Vulnerability | Advance Bug Bounty Tutorials | Hindi #bugbounty

BSidesSF 2024 - 0:30:26

BSidesSF 2024 - Snow Nor Rain Nor Dependency Confusion: How to... (Jessica Smith, Justin Engler)

Open Source Software 0:03:30

Open Source Software Supply Chain Attacks – The Straightforward Approach of Dependency Confusion

How Raman Mohurle 1:11:40

How Raman Mohurle Earned $$$$ with Dependency Confusion | Podcast : Episode -1 #bugBounty

Protecting my Node.js 0:27:01

Protecting my Node.js project of dependency confusion attacks

Dependency confusion and 1:07:12

Dependency confusion and its cure. A NuGet story

Dependency Confusion LAB&Demo 0:30:36

Dependency Confusion LAB&Demo [Arabic]

Dependency Confusion - 0:23:08

Dependency Confusion - einfach erklärt - Cybersecurity Attacks

Комментарии
Автор


My all time favourite (conceptually) attack is however typosquatting, but think of it expanded into libraries. Ie, you get a foothold of some sorry developer that happened to typo a common library name and just did their first pull. You'd probably just make a fork of the origin library, to avoid breaking things too badly and retain the foothold for a while. After that it's easy sailing, because developers are lazy (but important), and thus, have elevated access credentials by default.

It's still the same it was in the 90s. Security is not a question of technology, but convenience and human lazyness (I say lazy without any moral point). Perhaps the normal lazy developer was not "designed" to function well in a closed corporate environments that must value secrecy. Perhaps the only environment where the lazy developer can truly thrive is one where all code is open source and there are no secrets. :shrug:

czczr