Home

Awesome

DepenFusion: A Powerful Pentesting Tool for Detecting Dependency Confusion Vulnerabilities in Node.js

DepenFusion Logo

What is DepenFusion?

DepenFusion is an advanced, multithreaded penetration testing (pentest) tool designed specifically to identify and analyze dependency confusion vulnerabilities in Node.js (npm) projects.

Key Features:

How to Use DepenFusion?

  1. Installation:

    • Ensure you have both Git and Python 3 installed on your system.

    • Download the DepenFusion tool using the command:

      git clone github.com/benjamin-mauss/depenfusion
      
    • Change to the DepenFusion directory:

      cd depenfusion
      
    • Install the necessary dependencies:

      pip3 install -r requirements.txt
      
  2. Scanning Subdomains/Domains:

    Use the following command to analyze subdomains/domains by providing them in the standard input (stdin):

    cat subdomains.txt | python3 ./main.py
    
  3. Advanced Usage:

    DepenFusion offers several optional command-line arguments for advanced users. To view these options, run:

    python3 ./main.py --help
    

    These options include adjusting the number of concurrent threads, setting a timeout period, appending a custom string to URLs, enabling verbose mode, and more.

How DepenFusion Works:

DepenFusion employs a systematic approach to identify dependency confusion vulnerabilities:

  1. Async Request and File Analysis: The tool sends asynchronous requests to the target URLs, appending package.json and package-lock.json to each URL. It then checks if these files exist and are valid.
  2. Dependency Extraction: If valid package files are found, DepenFusion extracts the dependencies listed within them.
  3. Validation through NPM API: DepenFusion proceeds to verify the existence of the extracted dependencies by querying the npm API.

Future Enhancements:

In the future, DepenFusion is expected to expand its capabilities by incorporating the following improvements:

DepenFusion is a valuable tool for identifying and mitigating dependency confusion vulnerabilities in Node.js projects, enhancing the security posture of developers and organizations worldwide.