Authorization / Dependency Confusion

Description

Dependency Confusion is a type of authorization vulnerability where an attacker can use a form of name confusion to insert malicious code into a system. Dependency Confusion occurs when an application looks for a dependency library with a specific name, and an attacker is able to manipulate the library search path to find a malicious library with the same name instead. The Common Weakness Enumeration (CWE) directory identifies this vulnerability as CWE-428, and the OWASP Testing Guide gives further information on how to identify and mitigate the risks of this vulnerability.

Risk

The risk of Dependency Confusion is high, as it can allow an attacker to insert malicious code into a system without the user's knowledge. This can lead to the theft of sensitive information, or the execution of malicious code. In the case of Mobile App, the risk is even higher, as both iOS and Android app stores have been identified as vectors for this attack.

Solution

The solution to Dependency Confusion is to ensure that all dependencies are explicitly named, and that the application only looks for dependencies with the correct name. Additionally, all dependencies should be regularly checked for security vulnerabilities, and any vulnerable dependencies should be removed immediately.

Example

The following code example is taken from CVE-2019-14346:

import os
import json
import sys

# malicious_library.py
def hello_world():
    print("Hello World!")
    sys.exit(0)

# example.py
dependency_name = "hello"
try:
    imported_library = __import__(dependency_name)
    imported_library.hello_world()
except ImportError:
    print("Failed to import dependency")

In this example, the application is attempting to import a dependency with the name "hello". However, the attacker has inserted a malicious library with the same name, which is then executed instead of the intended library.