remote code execution via dependency confusion

this write-up covers how i discovered a dependency confusion vuln on a private h1 program (referred to as orgxyz) and achieved remote code execution.

while running ffuf on engineering.orgxyz.com, i found a publicly accessible package-lock.json file with 100+ packages.

this sparked the idea to test for dependency confusion — a technique where an attacker uploads a malicious package to npm with the same name as an internal one, hoping the internal app pulls it. [read more]

luckily, the json file contained npm registry urls. i wrote a script to check which ones returned 404s.

found one: orgxyz-css-1.0.4 → missing.

i registered the same name on npm, added some callback logic, and pushed it with a higher version.

1. create npm account
2. build index.js to ping burp collaborator or canary

   

3. create package.json with higher version + same name

   

4. publish & wait
5. 3 hrs later — canary token triggered

   

6. built another version with os command exec + data exfil to burp
7. an hour later — received callback output

   

8. validated everything → submitted report → got bounty

• march 10, 2024 — found vuln
• march 14 — reported via hackerone
• march 23 — issue resolved + bounty awarded

cd ..