2023-10-28 –, track 5
Have you ever experienced that moment, when you try to phonecall a number, and you have a small mistake in one of the digits? That's exactly what happens when you import the wrong package into your code! Unintended answers will be received from the other side. In this talk, we will discover a unique attack vector that hackers exploit to have direct access to your repository, and how to avoid it.
What is it about?
Dependency confusion is a new attack vector that was discovered in early 2021 by the security researcher Alex Birsan, where he discovered that multiple big organizations such as Microsoft, Apple, and others, are vulnerable to this sort of software supply chain exploit.
The actual vulnerability resides in the fact that the developer makes a mistake in importing one or more of the packages to the source code, in that case, if an attacker has disclosure to the used packages, can search through package indexes (e.g. PyPI) and use that mistake in his favor, upload a malware to the index, which will be later imported to the affected piece of code.
What's the impact?
An attacker will have direct read and write permissions in the code, even worse, can perform other malicious activities, such as dumping the database, deleting files, disclosing sensitive information, and more...
Small example
Suppose in a big project, a developer made a small typo and instead of importing the "requests" library he imported "reqests". Suppose also that this "reqests" library is just imported but not used, so the developer won't get any errors after running his code. If the attacker somehow can know about that, he will go to PyPI, and search for reqests, he will find that there's no previously created package with that name, so he will create one on the index, that contains some malicious code, such as a reverse shell or just a simple fetcher that will help him dump everything from the backend of the infected project.
Outline of the talk
In my talk, I will try to explain in simple terms what dependency confusion is, followed by some real-world examples of previously found vulnerabilities, in all different package indexes. This is going it be sort of a security awareness presentation so that developers should pay more attention to what they're including in their code from the internet. I will try to follow these bullet points:
- introductory example
- PyPI overview
- What is a dependency?
- Typosquatting
- Dependency confusion
- Real-world scenarios of the vulnerability
- Best practices and ways to avoid
Khalil is a cybersecurity MSc student at the Eötvös Loránd University in Budapest, he is using Python in a day-to-day job as a vulnerability management specialist. Khalil is also interested in web application security, where he tries to gain knowledge by playing CTFs (Capture The Flag) with his club members, and in his free time, Khalil hunts for vulnerabilities on bug bounty platforms. He also likes to raise plants, travel the world, and mix music!