Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin) (Ep. 74)
HTML-код
- Опубликовано: 5 авг 2024
- Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.
Follow us on twitter at: / ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to / realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
/ 0xteknogeek
/ rhynorater
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest: x.com/0xLupin
Resources:
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
/ dependency-confusion
git-dump
github.com/tomnomnom/dotfiles...
Depi
www.landh.tech/depi
Weak links of Supply Chain
arxiv.org/pdf/2112.10165
Timestamps:
(00:00:00) Introduction
(00:07:13) Overveiw of Supply Chain Flow
(00:15:14) Getting our Scope
(00:23:46) Depi
(00:29:12) Types of attacks and finding the 80/20
(00:45:06) Maintainer attacks
(01:10:40) Regestries, artifactories, and an npm bug
(01:31:51) Grafana NPX Confusion Наука
Okay, so who was explaining both of them were just chatting, 🤧 , guys you were supposed to explain, all of the pipelining and ci cd stuff, how are we supposed to know... you cant just assume that. 😵
no wonder I didn't understand half of it.
Am i the only one that does not understand a thing about what they said ?
All I heard was cache... or cash... I hope it was cash
Me when they go deep on s and client side path traversal lol. Since I'm a dev this one was fine for me