Stored XSS vulnerability in one of the Hive frontends

in HiveDevs2 months ago (edited)
Not sure which pic to
choose for this article. This..


OR this one.. 🙂
Pics taken from "Humorous programming books by @ThePracticalDev"




I was just browsing around Hive and decided to navigate to the Dapps section to see if anything cool came out.

I attended HiveFest on Friday (my pics here!) and heard about a frontend that got me intrigued. I decided to check it out and noticed that the styling was off in some places.

That got me thinking that if the devs rushed things out from a design perspective, they probably also didn't give too much thought to Security.

I tried a few tricks in my hats and managed to store some (harmless) code in the Hive blockchain that now gets executed by all users visiting some specific content using that Frontend.

image.png




A couple of months back I did a tech talk in my company about some security vulnerabilities I found in 3 different internal systems that my employer uses to manage employees' resumes, store performance reviews, and train their employees.

Here is one of the slides I used with a summary of how dangerous an XSS vulnerability can be:

Screen Shot 20201221 at 1.19.06 AM.png




The vulnerability has now been reported to the site maintainer. More details will follow once it's fixed.

I'll express my opinion on the effectiveness of the fix and the team response time.




Some more funny pics because these (fake) books are too funny..
🙂

     


UPDATES:

28/12/2020: it looks like @louis88 reported another XSS in the same website weeks ago.

The maintainer at the moment does not have time to fix the issue:

"Just overwhelmed for almost 9 months with COVID stuff so that I have no time for anything else..."

Community members may be able to work on it since the repository is open source. Stay tuned for updates.


By @gaottantacinque / @keys-defender 🔑

Sort:  

Security is hard. That's why I'm happy not being a web developer. I work on systems that are often off-line or out of sight.

translation: Im a lazy fuck and i check nothing.

What a strange thing for an obese alcoholic to say.

LOL check your facts, Im not the obese person

That is correct Mr. Duran.

:-D

hehe, nice find! Great that you take the 'responsible disclosure' approach. It's not the first time, I remember a block explorer that was susceptible as well... not sure if this ever got fixed...

Congratulations @gaottantacinque! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You received more than 1000 as payout for your posts. Your next target is to reach a total payout of 2000

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP