Skip to content

mathis2001/DeepConfusion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits

ExploitFiles

ExploitFiles

 
 

ExploitGem

ExploitGem

 
 

ExploitPy

ExploitPy

 
 

README.md

README.md

 
 

deepconfusion.sh

deepconfusion.sh

 
 

Repository files navigation

DeepConfusion

Simple bash dependency confusion checker that parse package.json, requirements.txt and Gemfile files and check if npm, python or ruby packages are public or private by searching them in npm, pypi and rubygems public registry.

Prerequisites

  • npm
  • jq
  • curl
  • awk
  • sort
  • sed
  • tr
  • cut
  • xargs
  • httpx

Install:

$ git clone https://github.com/mathis2001/DeepConfusion
$ cd DeepConfusion
$ chmod +x deepconfusion.sh

Usage:

$ ./deepconfusion path/to/package.json or requirements.txt or Gemfile

Screenshots

image image

Exploit (After finding a private module)

npm

You can find the private packages found in the generated confusion.txt file, then:

  • Check in the original package.json file if their is a ^ or a ~ before the version (if yes it is vulnerable)
  • Take the package.json template prensent in the "ExploitFiles" directory.
  • Replace the name by one of the packages found and preinstall value by your domain.
  • Replace the version value by a latest than the private module.
  • Publish it in the npm public registry.

Python

  • If one of the packages give an error 404, it might be vulnerable to dependency confusion.
  • Go to the "ExploitPy" repository and build the package.
$ python3 setup.py sdist bdist_wheel
$ twin upload dist/*

Help: https://s1rn3tz.gitbook.io/notes/pentest-web/dependency-confusion

Ruby

  • If one of the packages give an error 404, it might be vulnerable to dependency confusion.
  • Create a new package.
$ bundle gem <package_name>
  • Go to the created repository.
$ cd <package_name>

  • Copy the .gem file from the ExploitGem repository in the newly created file and replace the needed information.

  • Then go to the lib repository.

$ cd lib

  • Replace the content of the .rb file with the one of the "ExploitGem" repository.

  • Go back to the main repository and build the package.

$ cd ..
$ gem build <package_name>.gemspec
$ gem push <package_name>-9.9.9.gem

To Do

  • Addisionnal validation for depreciated packages
  • Remove of false positives like (name, version detected as packages...)
  • Add requirements.txt check for python dependency confusion
  • Add Gemfile check for ruby dependency confusion

About

Simple bash dependency confusion checker (npm, python and ruby)

Topics

bash npmjs dependency-confusion

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages