Snow Nor Rain Nor Dependency Confusion: How to...
Jessica Smith, Justin Engler
BSidesSF 2024 · Day 1
This talk, "Snow Nor Rain Nor Dependency Confusion: How to...", delivered by Jessica Smith and Justin Engler, engineers on the offensive security (red team) at Block, delves into the intricacies of the **dependency confusion** vulnerability. The presentation provides a comprehensive overview of what dependency confusion is, details a real-world red team operation conducted by Block to exploit it, and outlines the various strategies and challenges encountered in remediating this critical issue. The speakers emphasize that this was one of their team's inaugural red team engagements, offering valuable insights into the practicalities of identifying, exploiting, and defending against a vulnerability that poses a significant remote code execution (RCE) risk in modern software supply chains.
AI review
This talk provides a solid, no-nonsense walkthrough of a real-world dependency confusion exploitation and, more importantly, the painful process of remediation. While the vulnerability itself isn't novel, the detailed red team execution, the clever payload targeting, and the honest discussion of the challenges in fixing it make this a valuable session. It's a practical demonstration of how a known vulnerability can still yield significant impact in a large enterprise.