https://github.com/xh4h/loki

The Dependency Confusion vulnerability scanner and autoexploitation tool to help identifying and mitigating supply chain attacks
https://github.com/xh4h/loki

attacks chain confusion dependency exploit migitation poc supply vulnerability-scanners

Last synced: 3 months ago
JSON representation

The Dependency Confusion vulnerability scanner and autoexploitation tool to help identifying and mitigating supply chain attacks

• Host: GitHub
• URL: https://github.com/xh4h/loki
• Owner: Xh4H
• License: mit
• Created: 2021-12-09T20:25:33.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-02-20T13:54:55.000Z (over 1 year ago)
• Last Synced: 2024-11-19T02:23:01.940Z (12 months ago)
• Topics: attacks, chain, confusion, dependency, exploit, migitation, poc, supply, vulnerability-scanners
• Language: JavaScript
• Homepage:
• Size: 107 KB
• Stars: 31
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

README

          


    
  






 

 

 

 

 



## About

**Loki** helps to identify `NodeJS` projects that are vulnerable to **Dependency Confusion supply chain** attacks.

**Loki** has been created with the goal of helping developers to scan their projects and identifying possible attack vectors that could take advantage of vulnerabilities in the dependency supply chain.

**Loki** is a god in Norse mithology. Among other powers, he is an adept shapeshifter and people impersonator.

## Disclaimer

**Loki** is a defensive tool. The attack mode simply inserts a payload opening a listener service to allow the developer to connect to the compromised dependency with the sole purpose of showing the impact of a misconfigured module.

## When may a Dependency Confusion supply chain attack happen?

**Dependency Confusion** attacks may occur if:

* A company uses a hybrid approach to download their dependencies from both their internal repositories and public repositories.

* A developer has not properly configured a project's `npm` registry. A lightweight private npm proxy registry such as [Verdaccio](https://verdaccio.org/) can be configured.

* A typo in the name of a dependency may lead to an untrusted dependency being downloaded from the wrong repository. Better known as typosquatting.

* The version specified of the wanted dependency in the `package.json` file allows downloading newer versions. Having such `"loki-this-dependency-does-not-exist": "^1.1.0"` dependency allows downloading the latest version of the dependency from `1.1.0` up to, but not including, `2.0.0`. Similar interaction happens with `tilde` `~`. If a project has a hybrid setup, if the public repository `such as npmjs.org` contains a higher version compared with the private repository, the public one will be downloaded.

* A package name has a different import name. If a junior developer, by reading the code, expects the installation name of a package used in the repository is the same as the `import`. As an example, we can have a look at the Python image processing library `OpenCV` whose import name is `cv2` but the correct `pip install` command to install it is `pip install opencv-python`.

## Mitigation

* Strict internal dependency management by configuring the private repository to never go beyond (access the public realm) when it does not contain the wanted dependency. As previously said, [Verdaccio](https://verdaccio.org/) is a nice tool to achieve this.

* Using dependency scopes or namespaces to avoid typosquatting.

* Using version pinning. This technique does not index whether your current dependencies have been compromised, but it will prevent from downloading newer untrusted versions.

* Integrity checking. 

## Features

* Dependency scanning

* npmjs package publishing

* Configurable reverse shell generation

* Payload injection in vulnerable projects

* Attack mode (PoC after successful payload injection)

* Inspector mode (display hash of the commit that introduced the vulnerable package if the directory to scan is a git repository)

## Usage

### Prerequisite

To use this tool, it is expected that you have the following available in your environment:

- Node.js and npm in stable and recent versions

- The Git binary available in your path

### If downloaded from the repository:

```

$ node bin/loki.js [options]

```

### Using npx:

```

$ npx @xh4h/loki [options]

```

### Options

```

Options

--directory   -d   Path to directory to scan

--entrypoint  -e   Path to file to execute if directory is vulnerable (defaults to index.js)

--inspect     -i   Enable inspector mode

--accesstoken -a   Access token for npmjs.com

--attack           Whether to attack the project

--host             Host IP where the reverse shell listener is running (defaults to localhost)

--port             Port where the reverse shell listener is running (defaults to 1456)

```

## Contributing

[Contributing Guide](CONTRIBUTING.md)

## License

[MIT](LICENSE)

## Credits

Big thanks to the [Snyk](https://snyk.io/) team for their work on [snync](https://github.com/snyk-labs/snync) as **Loki** uses a modified version of their tool.