This training is focused on the dangers of NPM package hacking and account takeover. As many of you know, NPM packages are crucial dependencies for the widely-used Javascript programming language. Unfortunately, in recent times there have been numerous instances of NPM package hacking, including confusion attacks and account takeovers, puting developers at risk without their knowledge.
In this training, we will focus on a specific aspect of Supply-Chain Attacks: the vulnerability of NPM packages to account takeover when the email address of the package maintainer expires. This may sound less impactful, but the reality is far from it. Just one package could be used by hundreds of thousands of applications, and the impact of such an attack would be devastating. We will demonstrate how an innocent NPM package can become a disaster, and how an NPM account takeover can evade detection even by security tools such as Dependabot, SAST, and DAST.
We have conducted extensive research on this issue, scanning the internet for widely-used NPM packages and collecting over 2.1 million packages with millions of downloads. We extracted the email addresses of these packages and scanned the domains to identify expired ones.
We then gathered download numbers of the vulnerable packages to demonstrate the impact of this vulnerability globally.
– Gain a holistic view of supply-chain security, covering open-source vulnerabilities beyond NPM.
– Identify and mitigate risks in NPM packages and other open-source components.
– Master automated vulnerability detection for NPM packages, understanding its broader cybersecurity implications.
– Advocate for open-source security best practices within your organization.
– Protect your applications from diverse supply-chain and open-source threats.
This training program is designed to provide participants with a comprehensive understanding of supply chain security from both an offensive and defensive perspective. The program covers the latest tactics and techniques used by attackers to compromise supply chains, as well as the most effective countermeasures to prevent and respond to these attacks. Participants will gain practical skills and knowledge to help them secure their own supply chains and mitigate risks
Introduction to Supply Chain attacks & Software Supply Chain Security
– Understanding the importance of supply chain security
– Overview of supply chain attack types and techniques
– Common vulnerabilities in supply chains
[Case-Study] How to break down an attack pattern that’s new in the attack surface and use your mind and automation sauce to automate the prevention when the prevention is not out there ?
– Javascript – NPM packages account takeover tale.
– Offensive / Attacker’s perspective simulation.
– Defensive simulation and practices.
– How to detect NPM account takeover vulnerability in your code base?
– How to automate?
– Research – thought pattern and critical thinking class. Where the research on 2.1 Million NPM packages would be discussed and problem solving would be practiced.
Dependency confusion
– Brief introduction.
– Simulation from attacker’s perspective.
– Prevention methodologies from the defensive perspective.
– Our research on it on how well-spread it is.
– Customized scripts to detect.
Log4j, Typosquatting, Repojacking, Account takeover of dependencies.
– Offensive approach simulation
– Proactive approach of prevention discussion.
Depreciated libraries or dependencies
– How to automate the detection and keep your code secure?
– Methodologies for your SDLC.
– Why dependabot is not enough – GemScanner for your Ruby stack.
Real-World Examples of Supply chain attacks.
– Analysis of recent supply chain attacks
– Examination of successful and failed supply chain security measures
– Lessons learned and practical takeaways
Enhancing the supply chain security in your organizational SDLC.
– How to prevent supply chain attacks?
– Software Bill Of Materials: Setting up, good practices etc.
– Custom sauce of scripts.
– Dependabot and a lot more.
Key Takeaways:
What new research, concept, technique, or approach is included in your submission?
Scanning 2.1 Million NPM packages to find the account takeoverable vulnerable packages and then identifying the download numbers for the vulnerable ones to make a point of impact of this vulnerability.
Before we conducted this research there was no publicly known defensive strategy so The Register featured our solution as well – https://www.theregister.com/2022/05/23/npm_dependencies_vulnerable/ (But not the research)
– Attendees would be able to think about the importance of open-source security.
– Attendees would be able to identify vulnerable NPM dependencies.
– They would be able to protect their organizations from such dependencies. and would automate it within seconds.
The problem is not being solved by the outdated dependency detectors or SAST or DAST tools. To detect the vulnerable NPM dependencies which could be prune to account takeover and moreover this talk would be an all in all package for packages or dependency security.
We would be presenting our own scripted tools and usage possibilities in this talk as well to prevent widespread.
*NOTE: No names of NPM packages would be displayed in public for security reasons, and nothing illegal or unethical would be done or promoted – this talk is focused on how to defend your own codebase specifically.
Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.
He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
– Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)
– Featured in “The Register” for an initial workaround for the NPM dependency attacks.
– Certified Ethical Hacker, Certified Vulnerability Assessor (CVA), Certified AppSec Practitioner, Certified Network Security Specialist (CNSS), IBM Cyber Security Analyst
– Ex-Chapter Leader @ OWASP
– Ex-Top Rated freelancer (Information security category) on Upwork
– Recent security research and CVEs include – CVE-2022-2848 & CVE-2022-25523
– Served as a Moderator @ OWASP 2022 Global AppSec APAC.