Dependency Confusion Useful Guides
Hello everyone,
It has been a while since my last publication, but I have decided to change that and share some useful information with you. Additionally, I have recently started my own blog on GitHub Pages, and I believe it is a great platform to publish interesting content. So, let’s dive right into the topic of the Dependency Confusion vulnerability.
I have dedicated a significant amount of time to collecting information about this vulnerability. While you can find useful information on the internet, the challenge lies in aggregating it all. Especially if you work in a large company, your developers likely utilize different technologies and programming languages. Instead of discussing general aspects of Dependency Confusion, which you can easily find elsewhere, I will provide you with valuable links and guides from various experts. Feel free to make use of them!
General information about dependency confusion and risk mitigation
This is a complete guide on dependency confusion from a guy who discovered this problem in package managers:
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Useful information from Microsoft:
https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
Lots of info on dependency confusion:
https://github.com/x1337loser/Dependency-Confusion
Good exploitation example:
https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/
Guides for artifactory managers and package managers
JFrog
This guide will help you reduce the risk if your team uses JFrog for many package managers:
https://schibsted.com/blog/dependency-confusion-how-we-protected-ourselves/
Nexus
Small trick for Nexus repository manager:
https://blog.sonatype.com/namespace-confusion-minimizing-risk-with-nexus-repository
NPM
https://snyk.io/blog/detect-prevent-dependency-confusion-attacks-npm-supply-chain-security/
Python
https://medium.com/ochrona/preventing-dependency-confusion-attacks-in-python-fa6058ac972f
Composer
https://blog.packagist.com/preventing-dependency-hijacking/
Haskel
https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html
Bundler
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
RubyGems
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
Enjoy!