I recently volunteered to test a Hive Dapp (that won't be named at the very least until all the flagged issues are resolved).
Please find below my findings.
Use these to ensure that your own Hive frontend has protections in place for things like these.
Don't know how?
Stay tuned for my guide on how to build Secure Hive Applications
!
It should be out around mid-July with links to a test repo.
1- Stored XSS (Cross-Site-Scripting)
Missing sanitization for SVG files.
The following snippet was able to trigger the code execution every time the page was visited:
<div>
<svg width="200px" height="200px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<script type="text/ecmascript">
alert(1)
</script>
<circle cx="100" cy="100" r="80" fill="green"></circle>
</svg>
</div>
To learn more about XSS vulnerabilities see:
https://owasp.org/www-community/attacks/xss
2- Open Redirect
Triggered a redirect: <meta http-equiv="refresh" content="0;URL=https://google.com">
Did not execute: <meta http-equiv="refresh" content="0;URL=javascript:alert()">
To learn more about malicious redirect see:
https://learn.snyk.io/lesson/open-redirect
Exploit:
This can be used to redirect to a page very similar to yours and it could prompt you to start any operations (eg. transfer) from your Hive Keychain masking it as a simple login.
3- Pinata Gateway token leak
This is what gets generated for all image uploads...
![](https://ipfs.VULNERABLE_DAPP.app/ipfs/QmaGDjdgPQcgpKUTEE9kD4YW9QLmLsodfQADhy51E65d46?pinataGatewayToken=nxHS...eXWH-gXCY....OOPS....XyFE)
Note the ?pinataGatewayToken
URL parameter.
Impact:
- Unauthorized Access:
If someone gains access to your Pinata gateway token, they can use it to interact with your IPFS content. This could lead to unauthorized modifications, deletions, or other actions on your data.
It’s crucial to keep your gateway tokens secure and avoid sharing them publicly.
- Performance Issues:
Public IPFS gateways, including Pinata’s public gateway, have rate limits and can be slower due to heavy usage by users worldwide.
When you use a public gateway frequently, you might experience slower loading times for your content.
Pinata recommends using public gateways only for testing purposes, not production apps.
Less critical ones...
4- Clickjacking
An attacker can simply embed full-screen your website as is and display an overlay with invisible fields on top of the real login fields, in order to steal users' credentials.
Or they could show an overlay with an amazing offer to subscribe to your services with a huge discount by paying with a credit card or sending funds to the attacker's account.
To learn more about clickjacking:
https://owasp.org/www-community/attacks/Clickjacking
5- Reverse Tabnabbing:
<a href="https://peakd.com" target="_blank">test</a>
None of the external links have rel=“noopener noreferrer” to protect from it.
To learn more about reverse tabnabbing:
https://owasp.org/www-community/attacks/Reverse_Tabnabbing
That's all folks.
Stay tuned for my guide on Securing your Hive Apps!
- XSS vulnerabilities in #########.com
- XSS vulnerabilities in hive-db.com
- XSS vulnerabilities in scribe.hivekings.com
- XSS vulnerabilities in hiveblockexplorer.com
- Malicious ads redirecting all Steemit iOS users to a phishing site
- Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page
Other contributions:
- Universal script to prevent phishing in all Hive frontends
- Commands for community reports and ban/mute lists
Future development: plan
Last report: https://peakd.com/@keys-defender/monthly-report-june-july-august-2021-hive-13323
Keys-Defender features:
- Phishing protection [live scan of comments and posts to warn users against known phishing campaigns and compromised domains or accounts, scan of memos and auto-replies, anti phishing countermeasures - eg. fake credentials]
- Re-posting detection [mitigates the issue of re-posters]
- Code injection detection [live scan of blocks for malicious code targeting dapps of the Hive ecosystem]
- Anti abuse efforts [counteracts spam from hive haters and milking campaigns]
To support this project..
Browser-based play-to-earn 3D Shooter on HIVE
Discord Twitter
Working on a new front end for PIMP as we speak, might have to ask you to test it out :P