Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS via SVG Construction contract #131

Open
code423n4 opened this issue Jan 9, 2022 · 1 comment
Open

XSS via SVG Construction contract #131

code423n4 opened this issue Jan 9, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Handle

thank_you

Vulnerability details

Impact

SVG is a unique type of image file format that is often susceptible to Cross-site scripting. If a malicious user is able to inject malicious Javascript into a SVG file, then any user who views the SVG on a website will be susceptible to XSS. This can lead stolen cookies, Denial of Service attacks, and more.

The NFTTokenURIScaffold contract generates a SVG via the NFTSVG.constructSVG function. One of the arguments used by the NFTSVG.constructSVG function is svgTitle which represents the ERC20 symbols of both the asset and collateral ERC20 tokens. When generating an ERC20 contract, a malicious user can set malicious XSS as the ERC20 symbol.

These set of circumstances leads to XSS when the SVG is loaded on any website.

Proof of Concept

  1. Hacker generates an ERC20 token with a symbol that contains malicious Javascript.
  2. Hacker generates a TimeSwap Pair with an asset or collateral that matches the malicious ERC20 token created in Step 1.
  3. When NFTTokenURIScaffold#constructTokenURI is called, a SVG is generated. This process works such that when generating the SVG the tainted ERC20 symbol created in Step 1 is passed to the NFTSVG.constructSVG function here. This function returns a SVG containing the tainted ERC20 symbol.
  4. When the SVG is loaded on any site such as OpenSea, any user viewing that SVG will load the malicious Javascript from within the SVG and result in a XSS attack.

Tools Used

N/A

Recommended Mitigation Steps

Creating a SVG file inside of a Solidity contract is novel and thus requires the entity creating a SVG file to sanitize any potential user-input that goes into generating the SVG file.

As of this time there are no known Solidity libraries that sanitize text to prevent an XSS attack. The easiest solution is to remove all user-input data from the SVG file or not generate the SVG at all.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 9, 2022
code423n4 added a commit that referenced this issue Jan 9, 2022
@code423n4
thank_you issue #131
53f3a67
@amateur-dev amateur-dev mentioned this issue Jan 15, 2022
Closed
@Mathepreneur Mathepreneur added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 24, 2022
@Mathepreneur
Copy link
Collaborator

We plan to add Safety String library.

This was referenced Jan 28, 2023
Closed
Closed
@KuTuGu KuTuGu mentioned this issue Jul 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mathepreneur @code423n4