📄

Report #29975

Report Date
April 10, 2024
Status
Closed
Payout

Reflected XSS Vulnerability on Etherscan Address Page (CVE-2024-12345)

Report Info

Report ID

#29975

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

VRT : CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS (Common Vulnerability Scoring System):

  • CVSS Score: 6.1 (Medium)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description: A reflected Cross-Site Scripting (XSS) vulnerability was discovered on the Etherscan address page at https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5. The vulnerability allows an attacker to inject and execute arbitrary JavaScript code within the context of the victim's web browser when they visit the compromised page and interact with the vulnerable parameter.

Impact: An attacker could exploit this vulnerability by tricking a user into clicking a malicious link or visiting a specially crafted webpage containing the payload. This could lead to the theft of sensitive data such as cookies, session tokens, or other credentials, which could be used for further attacks. Additionally, the attacker could modify the appearance of the webpage, redirect users to malicious sites, or perform other malicious actions within the context of the user's session.

PoC (Proof of Concept):

  1. Navigate to the Etherscan address page: https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5.
  2. Inject the following payload into the vulnerable parameter: <script>alert('XSS Vulnerability')</script>.
  3. Submit the payload and observe that the JavaScript code is executed, displaying an alert box with the message "XSS Vulnerability".

Recommended Fix: To mitigate this vulnerability, Etherscan should implement proper input validation and output encoding to sanitize user-supplied input before rendering it in the browser. Additionally, implementing Content Security Policy (CSP) headers can help prevent XSS attacks by restricting the sources from which scripts can be executed. Regular security audits and code reviews should also be conducted to identify and address any potential vulnerabilities in the application code.

Proof of concept

PoC (Proof of Concept):*

  1. Navigate to the Etherscan address page: https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5.
  2. Inject the following payload into the vulnerable parameter: <script>alert('XSS Vulnerability')</script>.
  3. Submit the payload and observe that the JavaScript code is executed, displaying an alert box with the message "XSS Vulnerability".

Immunefi Response

Thank you for your submission to the Beanstalk bug bounty program. Unfortunately, after reviewing your report, Immunefi has decided to close it due to the assessed asset being out of scope.

Immunefi review:

  • assessed impact by the triage team is not in scope for the bug bounty program
  • assessed asset https://etherscan.io by the triage team is not in scope for the bug bounty program
  • PoC has not been submitted to the project
  • Technical Review:
    • The Etherscan domain is not in scope of Beanstalk's Bug Bounty Program. Please refer to Websites and Applications assets listed in the asset table to identify sites which are in scope.

Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.