Dependency Confusion Useful Guides

Hello everyone,

It has been a while since my last publication, but I have decided to change that and share some useful information with you. Additionally, I have recently started my own blog on GitHub Pages, and I believe it is a great platform to publish interesting content. So, let’s dive right into the topic of the Dependency Confusion vulnerability.

I have dedicated a significant amount of time to collecting information about this vulnerability. While you can find useful information on the internet, the challenge lies in aggregating it all. Especially if you work in a large company, your developers likely utilize different technologies and programming languages. Instead of discussing general aspects of Dependency Confusion, which you can easily find elsewhere, I will provide you with valuable links and guides from various experts. Feel free to make use of them!

General information about dependency confusion and risk mitigation

This is a complete guide on dependency confusion from a guy who discovered this problem in package managers:
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Useful information from Microsoft:
https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/

Lots of info on dependency confusion:
https://github.com/x1337loser/Dependency-Confusion

Good exploitation example:
https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/

Guides for artifactory managers and package managers

JFrog

This guide will help you reduce the risk if your team uses JFrog for many package managers:
https://schibsted.com/blog/dependency-confusion-how-we-protected-ourselves/

Nexus

Small trick for Nexus repository manager:
https://blog.sonatype.com/namespace-confusion-minimizing-risk-with-nexus-repository

NPM

https://snyk.io/blog/detect-prevent-dependency-confusion-attacks-npm-supply-chain-security/

Python

https://medium.com/ochrona/preventing-dependency-confusion-attacks-in-python-fa6058ac972f

Composer

https://blog.packagist.com/preventing-dependency-hijacking/

Haskel

https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html

Bundler

https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/

RubyGems

https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/

Enjoy! :smiley: