Skip to content

A test suite to check for client-side script injection on websites that display NFTs.

Notifications You must be signed in to change notification settings

contractshark/rektosaurus

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Rektosaurus

A test suite to check for client-side script injection on websites that display NFTs.

Overview

NFTs contain a variety of metadata and content that gets processed and rendered all over the place. Some subspecies of NFTs (e.g. generative art) explicitly require arbitrary scripts to be executed. Allowing user-supplied code while preventing malicious actions is challenging. Rektosaurus implements a number of attacks to help test for client-side attacks.

Deployment

To deploy your instance of Rektosaurus, clone the repository and create an .env file containing your API and wallet keys.

ALCHEMY_MAINNET_API_URL = "xyz"
ETHERSCAN_API_KEY = "xyz"
PRIVATE_KEY_ETHEREUM = "xyz"

Update the config and deploy script to your liking and run:

$ npx hardhat run scripts/deploy.js

Note that you'll have to mint or batchmint the NFTs for them to show up on marketplaces.

Replace INSERT_YOUR_CALLBACK in payloads directory with your preferred callback URL such as interact.sh or Burp Collaborator.

Live deployment

An instance of the smart contract is live on Mumbai.

Payloads are hosted on rex.rektosaurus.io.

Contributing

Please submit your payload ideas via pull request and I'll add them to the webserver.

About

A test suite to check for client-side script injection on websites that display NFTs.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PostScript 81.5%
  • JavaScript 9.0%
  • Solidity 6.5%
  • HTML 3.0%