RCE due to Dependency Confusion — $5000 bounty!

Chevon Phillip
2 min readMay 10

Hey everyone! I’m back with another cool write-up about a bug bounty report I submitted to a private program on HackerOne. Guess what? I got a $5,000 reward and they took care of it in just 30 minutes!

I won’t go into the nitty-gritty of dependency confusion since there are plenty of awesome write-ups out there that cover it.

So, I was checking out this custom auth portal where you can get into multiple internal apps after logging in. Bummer, though, they didn’t give us credentials during testing, so only company employees could log in.

But hey, I didn’t give up! I looked at the .js files the app loaded, using the network tab in my browser. I saw that when the auth login page loaded, it bundled an app.[random_characters].js file.

I remembered reading about source maps and how you can put front-end source code back together with them. So, I used this cool tool called Sourcemapper (https://github.com/denandz/sourcemapper) that helps do just that.

With the source code in hand, I started hunting for vulnerabilities. I found a few interesting ones, but what really caught my eye in the code were the import statements.

I noticed the imports referenced an NPM package that needed to be found on npm.org. So I did what any hacker would do, trying to see if I could highjack that package. To my luck, it worked!

I quickly created a PoC and started to get ping backs to my burp collaborator and was able to pull sensitive data and execute code.

I reported this issue to the program and it was triage within 30 mins and rewarded with their max bounty.

P.S: Special shoutout to https://twitter.com/Arl_rose for helping me get this reported right away.

END — If you want to read more of my write ups please follow me here. Twitter, and LinkedIn

Chevon Phillip

Application Security Engineer. I helped secure top companies and organizations.