Zimbalwa iintsuku ezidlulileyo Indlela elula emangalisayo yakhululwa evumela ukuhlaselwa kokuxhomekeka kwizicelo eziphuhliswayo kusetyenziswa indawo yokugcina impahla yangaphakathi. Abaphandi abachonge ingxaki baye bakwazi ukuqhuba ikhowudi yabo kwiiseva zangaphakathi zeenkampani ze-35, kuquka i-PayPal, iMicrosoft, i-Apple, i-Netflix, i-Uber, i-Tesla kunye ne-Shopify.
Ii-hacks zenziwe njengenxalenye yeenkqubo ze-Bug Bounty, ngokubambisana neenkampani ezihlaselweyo, kwaye ababhali sele bebonelelwe nge-$ 130.000 kwiibhonasi zokuchonga ubuthathaka.
Indlela isekelwe kwinto yokuba iinkampani ezininzi zisebenzisa ukuxhomekeka kwi-NPM eqhelekileyo, iPyPI kunye neRubyGems yokugcina kwizicelo zabo zangaphakathi, kunye nokuxhomekeka kwangaphakathi okungasasazwanga esidlangalaleni okanye ukukhutshelwa kwiindawo zabo zokugcina.
Ingxaki kukuba abaphathi bephakheji njenge npm, ipip kunye negem Bazama ukukhuphela ukuxhomekeka kwangaphakathi kweenkampani, nakwiindawo zokugcina zikawonke-wonke. Uhlaselo, chaza nje amagama empahla ngokuxhomekeka kwangaphakathi kwaye wenze ezakho iipakethe ezinamagama afanayo kwiindawo zokugcina zikawonke-wonke ze-NPM, i-PyPI kunye ne-RubyGems.
Umba awukho ngqo kwi-NPM, i-PyPI, kunye ne-RubyGems, kwaye iphinda ibonakale kwezinye iinkqubo ezifana ne-NuGet, i-Maven, kunye ne-Yarn.
Umbono wendlela ecetywayo uvele emva kokuba umphandi eqaphele ngempazamo ukuba kwikhowudi ekhoyo esidlangalaleni eposwe kwi-GitHub, iinkampani ezininzi azisusi ukukhankanywa kokuxhomekeka okongeziweyo kwiifayile zabo ze-manifest isetyenziswe kwiiprojekthi zangaphakathi okanye xa kuphunyezwa imisebenzi eyandisiweyo. Iindlela ezifanayo zifunyenwe kwikhowudi yeJavaScript yeenkonzo zewebhu, kunye nakwiiprojekthi zeNode.JS, iPython kunye neRuby yeenkampani ezininzi.
Eyona nto ivuzayo yayinxulumene nokubethelelwa komxholo yefayile.json kwikhowudi yeJavaScript efumanekayo esidlangalaleni ngexesha lenkqubo yokwakha, kunye nokusetyenziswa kwezinto ezizizo zendlela kwiifowuni ezifunekayo () ezinokuthi zisetyenziswe ukugweba amagama oxhomekeko.
Ukuskena izigidi ngezigidi zemimandla yeshishini kutyhile amawaka aliqela amagama epakethe yeJavaScript ebezingekho kwindawo yogcino lweNPM. Emva kokuqokelela i-database yamagama epakethe yangaphakathi, umphandi wagqiba ekubeni enze umfuniselo wokukhangela iziseko zeenkampani ezithatha inxaxheba kwiinkqubo zeBug Bounty. Iziphumo zasebenza ngokumangalisayo. kwaye umphandi wakwazi ukuqhuba ikhowudi yakhe kwiikhomputha ezininzi zophuhliso kunye neeseva ezijongene nokwakha okanye ukuvavanya ngokusekelwe kwiinkqubo zokudibanisa eziqhubekayo.
Xa ukhuphela ukuxhomekeka, i-npm, i-pip, kunye nabaphathi bephakheji ye-gem bafakela ngokukodwa iipakethe ezivela kwiindawo zokugcina ezisisiseko zikawonke-wonke i-NPM, i-PyPI, kunye ne-RubyGems, ezithathwe njengezona zibalulekileyo.
Ubukho beepakethe ezifanayo ezinamagama afanayo koovimba benkampani yabucala khange bahoywe ngaphandle kokubonisa izilumkiso okanye ukubangela iingozi. enokutsala umdla wabalawuli. Kwi-PyPI, ukukhuphela okuphambili kwathonywa yinombolo yenguqulo (kungakhathaliseki ukuba indawo yokugcina, inguqulelo yamva nje yephakheji yakhutshelwa). Kwi-NPM kunye neRubyGems, okuphambili kuxhomekeke kuphela kwindawo yokugcina.
Umphandi ubeke iipakethe kwi-NPM, PyPI kunye neRubyGems yokugcina izinto eziphazamisana namagama okuxhomekeka kwangaphakathi okufunyenweyo, ukongeza ikhowudi kwiskripthi esiqhutywa ngaphambi kokufakela (efakwe ngaphambili kwi-NPM) ukuqokelela ulwazi malunga nenkqubo kunye nokuthumela ulwazi. yamkelwe kumamkeli wangaphandle.
Ukuhambisa ulwazi malunga nempumelelo ye-hack, i-firewall edlulayo evala i-traffic yangaphandle, indlela yokulungelelanisa unxibelelwano lwe-covert channel kwi-protocol ye-DNS. Ikhowudi eyenziwayo yasombulula inginginya kwindawo yokuhlaselwa phantsi kolawulo lwesizinda sokuhlasela, okwenza kube lula ukuqokelela ulwazi malunga nemisebenzi eyimpumelelo kwiseva ye-DNS. Ulwazi malunga nomamkeli, igama lomsebenzisi kunye nendlela yangoku idlulisiwe.
I-75% yazo zonke iikhowudi ezirekhodiweyo ezenziweyo zayanyaniswa nokukhutshelwa kwephakheji ye-NPM, ngenxa yokuba kwakukho amagama angaphakathi emodyuli yeJavaScript kunamagama okuxhomekeka kwiPython neRuby.
Umthombo: https://medium.com/