Hacking OWASP’s Juice Shop Pt. 62: Supply Chain Attack

Challenge: 

Name:  Supply Chain Attack

Description: Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)

Difficulty: 5 star

Category: Vulnerable Components

Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html

Tools used:

None

Resources used:

www.snyk.io/vuln

Methodology: 

In the expanded description for this challenge there are three clues: The developers, not the customers, are the target of this attack, this is simply a research challenge, and having access to the Developer Backup will save time.

Knowing roughly what a supply chain attack is, how severe they are, and also having spent quite a bit of time during previous challenges finding vulnerable libraries in the developer’s backup file, I had a fairly short list of possible culprits.

<img src="https://curiositykillscolby.files.wordpress.com/2020/12/image-135.jpeg?w=618&quot; alt="Q eslint O • any VULNERA31LlTY cocoapods O Composer O O L,nux AFFECTS O Maven Regular Expression Denial of Service (ReDoS) Malicious Package Malicious Package eslint

After clicking on the vulnerability to check it out, I found two listed posts describing the issue and its mitigation. The vulnerability is apparently so bad that it is recommended that elsint-scope should be removed from all projects entirely, and it’s easy to understand why. Automatically downloading malware from pastebin coupled with remote code execution is a scary combination.

@ ESLint 
Q 
Search the docs... 
User guide 
Postmortem for Malicious Packages 
Published on July 12th, 2018 
Summary 
On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published 
malicious versions of the -eslint-scope- and eslint- config-eslint packages to the npm registry. On 
installation, the malicious packages downloaded and executed code from -pastebin.com which sent the 
contents of the user's l.npmrc file to the attacker. An I . npmrcj file typically contains access tokens for 
publishing to npm. 
The malicious package versions are I es1int-scope@3.7.2 and glint-config-es1int@5.0.2' both of 
which have been unpublished from npm. The pastebin.com. paste linked in these packages has also 
been taken down.
eslint/ eslint-scope 
Code O Issues 8 
Pull requests 
@ Actions 
CO Projects 
C) Security 
Insights 
Virus in eslint-scope? 
39 
C Closed 
pronebird opened this issue on Jul 12, 2018 • 92 comments 
pronebird commented on Jul 12, 2018 • edited by hzoo 
Updated blog post: https://eslint.org/blog/2018/07/postmortem-for-malicious- 
package-publishes 
Update from the maintainers 
Incident status report from npm 
Please follow the comment by @platinumazure that gives a little insight into what happened: 
#39 (comment) 
It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See 
eslint/eslint#10600 for more information.

Here I had a touch of trouble figuring out what the challenge solution format was, but as I was certain I’d found the right vulnerability I didn’t feel too bad about checking the Solution Guide to find out what to enter into the feedback form.

Customer Feedback 
- Author — 
anonymous 
Comment 
https://github.com/eslint/eslint-scope/issues/39 
O Max. 160 characters 
48/160 
Rating 
CAPTCHA: 
22 
What is 
7+5*3 ? 
Submit
You successfully solved a challenge: Supply Chain Attack (Inform the development team about a danger to some of their 
credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)) 
x

Prevention and Mitigation Strategies:

OWASP Vulnerable Dependency Management Cheat Sheet

Keep up to date on vulnerabilities found in the libraries you’re using. When one is found to be as vulnerable as eslint-scope was, do whatever is necessary to immediately remove it from your projects. A quick and easy way to determine the severity of listed vulnerabilities is to check the CVSS score. If it’s a 9, remove the package. If it’s a 4, maybe it’s not quite as urgent, but should still be updated to a new version or replaced in a timely manner.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s