Responsible disclosure SteemDB - Security is hard, thats why you have to escape OUTPUT data! - XSS injection
XSS - cross site scripting are type of injection attack, malicious scripts are injected into trusted websites and executed in user browser without his knowledge. XSS attacks are listed in OWASP top ten report and rules how to avoid such attack are known and very simple - you can find everything on owasp webpage
I have found XSS vulnerability on SteemDB
I wanted to check if steemit.com is free from xss vulnerability so i updated WEBSITE field with following url
https://www.adex.network/"><script>alert(document.cookie);</script> although steemit does not sanitize user input it didnt run the injected code, website field was missing from the profile site. I wanted to check how does transaction look on steemdb, and then - boom I saw my cookie on the screen because steemdb does not escape output in the right user panel.
That is not good that such typical vulnerability was present on steemdb but thanks to fast @jesta reaction everyone is safe now!
Considering how many steem users is interested in computer science It's hard to believe that this vulnerability has not been found and used by someone before. To speed up steem blockchain social development it is worth to improve the safety of its users. When person like me, and i'm not security expert, can find such vulnerability i'm afraid what someone who actually knows more in that topic could find, thats why i ask you, users test our steem applications and report every malfunction via great project which is utopian.io
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
Great find on the xss injection. Your efforts are much appreciated in our utopian paradise. Keep up the good work!
You can contact us on Discord.
[utopian-moderator]
Thanks for the heads up on that one!
I've been thinking about XSS on steemdb.com and the implications - and am curious to know what others think. How big of a risk is something like this to users of steemdb?
From what I understand of the vulnerability, it would allow you to access a user's cookies or browser data related to steemdb.com. The thing is - there isn't any on steemdb.com or anything to actually take or access. What type of attack vectors would this type of XSS open up to a user of steemdb, considering steemdb is a site you can't even log into?
One scenario I could imagine is using the XSS to redirect a user to a phishing site? Generally that's done with mirrors of things you actually log into - and I think if anyone was every suddenly asked to "sign in" on steemdb, they'd probably be confused and stop.
It's an interesting thought experiment and I'm curious more than anything what's possible these days with XSS.
@jesta I’m a penetration tester for my day job and I run in to XSS findings all the time. The problem is that they are incredibly mis understood. An adversary couldn’t really exploit this vulnerability against your site. What they would be doing is exploiting is the users trust in your site. So take the above example, as an adversary I could send an XSS link to a user and get them to click on it. Now my JavaScript code runs in their browser and I can totally take over their computer. Check out the Beef XSS exploitatation framework.
As an adversary I haven’t done anything to hurt you or your site, but because the user trusted the site they clicked on the link. I wouldn’t rate this type of vulnerability as a Critical, but I’d rate it medium.
maybe run JS minner?
I haven’t personally looked in to JS Miner, but as long as it’s JavaScript then I think it could work.
Haha - so as long as they sit and stare at your profile all day, they're mining for ya? :)
Hey @whd I am @utopian-io. I have just upvoted you!
Achievements
Suggestions
Get Noticed!
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x