My unfortunate circumstance was a robbery– the back door of the remodel was kicked in, and a generator was carted off. Hacks are often born out of unfortunate circumstances. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.Ĭontinue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG” → Posted in Hackaday Columns, News, Security Hacks, Slider Tagged NPM, siemens, This Week in Security, Zoneminder Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. That response time discrepancy means you can map out the private package names used by a given organization in their private scope. It appears that npm has front-end that can cache a 404 response for a private package. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. That request lands at the service’s backend, a lookup is performed, and you get the response. If the package name isn’t in use, all five requests will take the expected amount of time. Use npm’s API to request info on your target package, five times in a row. The clever bit is to keep trying, and really pay attention to the responses. Trying to access the package results in an HTTP 404 error - the same error as trying to pull a package that doesn’t exist. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, and are inaccessible to the general public. The setup is this, npm hosts both public and private node.js packages. First up is some clever wizardry from the research team, who discovered a timing attack that leaks information about private npm packages.
0 kommentar(er)
