Cross-Site Scripting (XSS) vulnerability in dnsAlert function #60
Labels
bug
Something isn't working
Comments
andreyxdd
added a commit
to andreyxdd/dns
that referenced
this issue
Aug 3, 2023
Dimitreee
pushed a commit
that referenced
this issue
Aug 4, 2023
* Updated my-domains table to display the sale price of the domain (when it was bought from auction) instead of the current sale price Modified the loading state of the my-domains view Implemented refetch when 429 error is thrown Some other minor updates (constants, locales, etc) * Updated brand logo and colour scheme * Implemented separate fetching for domain sale prices in the 'my domains' list * Addressed the security threat (XSS) of the dnsAlert method - see issues #60 * Fixed bug in the flip timer countdown * Updates after review
Dimitreee
pushed a commit
that referenced
this issue
Aug 14, 2023
* Updated my-domains table to display the sale price of the domain (when it was bought from auction) instead of the current sale price Modified the loading state of the my-domains view Implemented refetch when 429 error is thrown Some other minor updates (constants, locales, etc) * Updated brand logo and colour scheme * Implemented separate fetching for domain sale prices in the 'my domains' list * Addressed the security threat (XSS) of the dnsAlert method - see issues #60 * Fixed bug in the flip timer countdown * Updates after review * Updated main title: from 'Buy .ton domains' to 'Get .ton domains' (only english locale) * Updated scripts and styles cache (in advance) * Removed 'Sale Price' in usd from 'My Domains' table. Minor updates to css styles to make sure the interface is responsive
Dimitreee
pushed a commit
that referenced
this issue
Aug 16, 2023
* Updated my-domains table to display the sale price of the domain (when it was bought from auction) instead of the current sale price Modified the loading state of the my-domains view Implemented refetch when 429 error is thrown Some other minor updates (constants, locales, etc) * Updated brand logo and colour scheme * Implemented separate fetching for domain sale prices in the 'my domains' list * Addressed the security threat (XSS) of the dnsAlert method - see issues #60 * Fixed bug in the flip timer countdown * Updates after review * Updated main title: from 'Buy .ton domains' to 'Get .ton domains' (only english locale) * Updated scripts and styles cache (in advance) * Removed 'Sale Price' in usd from 'My Domains' table. Minor updates to css styles to make sure the interface is responsive * Removed 'Sale Price' in usd from 'My Domains' table. Minor updates to css styles to make sure the interface is responsive * Fixed the address format when sending transaction * Fixing bugs Fixed custom bid ammount bug (via input during the auction) Fixed issue with the domain renewal button (in testnet) * Updated the auction description in the 'about' page * Updated hash (static files) * Corrected 'About' page
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Type
Security
Reproduction steps
Create a new HTML file and include the vulnerable JavaScript code.
Open the HTML file in a web browser.
In the web browser's address bar, enter the following payload as the "message" parameter of the "dnsAlert" function:
<script>alert('You have been hacked!');</script>Press the Enter key to execute the payload.
The crafted alert message will be displayed, and the attacker's code will be executed.
Actual result
The "message" parameter of the
dnsAlertfunction is not sanitized, allowing an attacker to inject malicious JavaScript code.Expected result
The "message" parameter of the
dnsAlertfunction should sanitize any user input to prevent the injection of malicious JavaScript code.Suggested Severity
Vulnerability
Device
Desktop (please complete the following information):
Additional Context
POC:
Create a new HTML file and include the vulnerable JavaScript code.
Open the HTML file in a web browser.
In the web browser's address bar, enter the following payload as the "message" parameter of the "dnsAlert" function:
<script>alert('You have been hacked!');</script>Press the Enter key to execute the payload.
The crafted alert message will be displayed, and the attacker's code will be executed.
dnsAlert('<img src=x onerror=alert(document.cookie)>', 'Ok', () => {});- The vulnerability is caused by the use of the innerHTML property to set the content of the alert message. This allows an attacker to inject arbitrary HTML and JavaScript code into the message, which is then executed by the victim's browser when the alert is displayed.The text was updated successfully, but these errors were encountered: