Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Insufficient Validation of Token Name and Symbol in `list` function

golomp3761

Summary

The Name and Symbol variables in the list function are unfiltered, allowing for malicious code injection. Without character limits, this vulnerability can lead to XSS or HTML injection attacks, enabling attackers to manipulate information in the Web3 application.

Vulnerability Details

The Name and Symbol variables in the list function are not filtered in any way, allowing an attacker to create a token with malicious JavaScript or HTML code injected into these fields. These fields are also not limited by character count, enabling the injection of a large amount of code. If no mitigation mechanisms are implemented in the web application for malicious code from these variables, the application will be vulnerable to XSS or HTML injection attacks if the values of these variables are displayed in the web application.

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L173

Impact

If an attacker creates an asset with a symbol containing the malicious javascript payload, he could get a stored XSS on this website that render his malicious NFT name and symbol, which is legitimately generated by this dapp, according to correspondence with the sponsor, there is a possibility of transferring the created NFT to other applications like NFT exchanges, which creates an additional XSS risk on the mentioned dApps.. This could allow the attacker for example, to run a keylogger script to collect all inputs typed by a user including his password or to create a fake Metamask pop up asking a user to sign a malicious transaction.

Tools Used

Manual review.

By using the written test file, I was able to modify this line of code https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/test/Swan.test.ts#L64 in the following way, and the test was successful.

const [NAME, SYMBOL] = ["<script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script>", "<script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script><script>alert('1')</script>"];

Recommendations

it's absolutely necessary to sanitize the user's input on the list function. The asset symbol should only contain Aa-Zz and 0-9 characters while forbidding special ones, i.e. < / >. The length of possible characters should also be significantly limited. The principle of security in depth should be applied, securing each possible injection point in the best possible way.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Malicious code injection using the name and symbol in `list` function

Appeal created

golomp3761 Submitter
12 months ago
sovaslava Auditor
12 months ago
golomp3761 Submitter
12 months ago
inallhonesty Lead Judge
12 months ago
inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Malicious code injection using the name and symbol in `list` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.