DepenFusion: A Powerful Pentesting Tool for Detecting Dependency Confusion Vulnerabilities in Node.js
DepenFusion is an advanced, multithreaded penetration testing (pentest) tool designed specifically to identify and analyze dependency confusion vulnerabilities in Node.js (npm) projects.
- Automated Vulnerability Detection: DepenFusion is designed to automatically scan and identify dependency confusion vulnerabilities in Node.js projects.
- User-Friendly Interface: With an easy-to-use command-line interface, the tool simplifies the process of scanning subdomains/domains for potential vulnerabilities.
- Smart URL Handling: DepenFusion intelligently handles variations in URLs, ensuring smooth processing even with different formats.
- Support for Multithreading: The tool's multithreading capability allows for faster and more efficient scanning of multiple targets simultaneously.
- Silent Mode and Verbose Options: DepenFusion provides the flexibility of silent mode, which displays only useful results, or verbose mode for more detailed output.
- Integration Possibilities: DepenFusion can be easily integrated with other security tools to enhance vulnerability assessment capabilities.
-
Installation:
-
Ensure you have both Git and Python 3 installed on your system.
-
Download the DepenFusion tool using the command:
git clone github.com/benjamin-mauss/depenfusion
-
Change to the DepenFusion directory:
cd depenfusion
-
Install the necessary dependencies:
pip3 install -r requirements.txt
-
-
Scanning Subdomains/Domains:
Use the following command to analyze subdomains/domains by providing them in the standard input (stdin):
cat subdomains.txt | python3 ./main.py
-
Advanced Usage:
DepenFusion offers several optional command-line arguments for advanced users. To view these options, run:
python3 ./main.py --help
These options include adjusting the number of concurrent threads, setting a timeout period, appending a custom string to URLs, enabling verbose mode, and more.
DepenFusion employs a systematic approach to identify dependency confusion vulnerabilities:
- Async Request and File Analysis: The tool sends asynchronous requests to the target URLs, appending
package.json
andpackage-lock.json
to each URL. It then checks if these files exist and are valid. - Dependency Extraction: If valid package files are found, DepenFusion extracts the dependencies listed within them.
- Validation through NPM API: DepenFusion proceeds to verify the existence of the extracted dependencies by querying the npm API.
In the future, DepenFusion is expected to expand its capabilities by incorporating the following improvements:
- Support for Additional Package Managers: DepenFusion aims to include support for other popular package managers such as pip for Python and gem for Ruby.
- GoLang Implementation: Development is underway to create a GoLang version of DepenFusion, enabling even faster and more efficient scanning.
DepenFusion is a valuable tool for identifying and mitigating dependency confusion vulnerabilities in Node.js projects, enhancing the security posture of developers and organizations worldwide.