alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~125~~	Closed	~~Bug: NPM Dependency Confusion Vulnerability.~~	ssb07	Task Description Hope everything going well on your side. Recently, while enumerating over alwaysdata.net and alwaysdata.com i came across a js file which contain a npm dependency which you also used using command require('nw.gui') . When i check it on npm registry it does not exist over there. So i claimed it. I also came across other dependencies which are used in other js files with the exact syntax but they are already exist on npm registry but only this dependency does not exist over npm registry. So, it could easily result in npm dependency confusion vulnerability which could severe consequences like if anytime you update/install it will easily give rise to Remote Code Execution over user/developer system even if it in scope or not. ## Step to reproduce: 1. Enumerate over your domain and find all endpoints. 2. From endpoints extract all js files. 3. In JS files search npm dependecies. ![some-js-files-found](https://drive.google.com/file/d/16VphYAjHXuYmwsBvx0fWcgbePP1y5JPy/view?usp=drive_link) 4. You will find dependency which I mentioned above. ![Found-npm-dependency](https://drive.google.com/file/d/1VZMibcPlCity-RPpZPkl1TSKuNkswbZA/view?usp=drive_link) Follow this js-file : [Link](https://foxrewards.alwaysdata.net/jeu/js/rpg_core.js) 5. Claimed the dependency. ![Claimed-bucket-with-some-downloads-also](https://drive.google.com/file/d/14FWf1qfh3p5f3TRndRJCPcAn0LEunRNS/view?usp=drive_link) ## Impact: 1. If anytime you update/install it will easily give rise to Remote Code Execution over user/developer system which could be fatal. 2. Reputation damage of the company. ## Mitigation Once you have reviewed this report, I can unclaim the package and you can upload your own ones there.

~~125~~

Closed

~~Bug: NPM Dependency Confusion Vulnerability.~~

Task Description

Hope everything going well on your side.

Recently, while enumerating over alwaysdata.net and alwaysdata.com i came across a js file which contain a npm dependency which you also used using command require('nw.gui') . When i check it on npm registry it does not exist over there. So i claimed it. I also came across other dependencies which are used in other js files with the exact syntax but they are already exist on npm registry but only this dependency does not exist over npm registry. So, it could easily result in npm dependency confusion vulnerability which could severe consequences like if anytime you update/install it will easily give rise to Remote Code Execution over user/developer system even if it in scope or not.

## Step to reproduce:

1. Enumerate over your domain and find all endpoints.
2. From endpoints extract all js files.
3. In JS files search npm dependecies.

![some-js-files-found](https://drive.google.com/file/d/16VphYAjHXuYmwsBvx0fWcgbePP1y5JPy/view?usp=drive_link)

4. You will find dependency which I mentioned above.

![Found-npm-dependency](https://drive.google.com/file/d/1VZMibcPlCity-RPpZPkl1TSKuNkswbZA/view?usp=drive_link)

Follow this js-file : [Link](https://foxrewards.alwaysdata.net/jeu/js/rpg_core.js)
5. Claimed the dependency.

![Claimed-bucket-with-some-downloads-also](https://drive.google.com/file/d/14FWf1qfh3p5f3TRndRJCPcAn0LEunRNS/view?usp=drive_link)

## Impact:

1. If anytime you update/install it will easily give rise to Remote Code Execution over user/developer system which could be fatal.
2. Reputation damage of the company.

## Mitigation
Once you have reviewed this report, I can unclaim the package and you can upload your own ones there.

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task