【Dependency Confusion Attack】Types and Prevention
Nov 7, 2022
9 min read
In this article:
Modern applications are built using logically isolated components, each performing a set of functions that can be used directly within the software. These software components, also known as dependency packages or libraries, are stored in public or private repositories that can be reused across multiple software supply chains.
This article discusses what dependency confusion relates to in modern application delivery, how it can lead to security vulnerabilities, and recommended practices to mitigate such vulnerabilities.
What is Dependency Confusion?
Dependency confusion in application delivery arises when two or more dependencies conflict with each other, and the system is unaware of which one to use first. Dependency confusion attacks are exploited in such scenarios when an adversary tricks the software package manager into pulling a malicious package from a public library instead of the legitimate one. Also known as supply chain substitution, such attacks leverage the fact that users don’t need to specify the source repository for a component, where the package installer automatically handles downloads and configuration.
The workflow of a typical supply chain substitution attack is similar to the following:
A hacker discovers private package names used within a target organization The hacker builds a malicious version of the package The malicious package is subsequently added to a public