Canto Identity Subprotocols contest - ulqiorra's results

Lines of code

https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-bio-protocol/src/Bio.sol#L109

Vulnerability details

Impact

Bio.tokenURI() function returns an encoded JSON which is supposed to be parsed by a browser or another tool. The field description contains unsanitized user input and can be fully controlled by a hacker when they create an NFT via Bio.mint(string calldata _bio). The hacker can create an NFT with a bio with a quote symbol " to escape the context of a description field and modify JSON so it collides with another fields and contains a malicious data.

This may allow hacker to rewrite different fields in the JSON or trigger XSS on a website which may lead to user funds stealing.

Proof of Concept

There can be different vectors depending on how the output of Bio.tokenURI() is parsed.

Case #1. One of the vectors is to change the name view on the website which parses the Bio. If a hacker mints a Bio NFT with id=123 and bio=' ", "name":"Bio #1 ', then tokenURI() will return a base64-encoded JSON with the following data:

{
    "name": "Bio #123",
    "description": "",
    "name": "Bio #1",
    "image": "..."
}

Javascript function JSON.parse() in Google Chrome webbrowser returns the last specified field when parsing a JSON. In this example, it will return a bio with the name "Bio #1".

Case #2. Depending on the JSON-parsing order there is a possibility that a hacker can collide with the image field, thus modifying an SVG element that is provided in this field. Depending on how it is parsed and how it is inserted on a website a hacker can trigger an XSS. This may be the case if the SVG element is inserted on the webpage via object or embed element.

For example, consider the following SVG that has a script inside:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS");
  </script>
</svg>

If it is inserted in a webpage via embed element, then the script will succesfully run:

<embed type="image/svg+xml" src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICBhbGVydCgiWFNTIik7CiAgPC9zY3JpcHQ+Cjwvc3ZnPg==" />

It may allow hacker to steal user funds by modifying the website's wallet logic.

Another vectors are described in https://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do

Case 3. There is also an extreme scenario if the JSON is parsed via javascipts eval method. A hacker then can run any script by directly putting code after breaking the context. For example, bio='"+alert(1)+"'.

Tools Used

x

Recommended Mitigation Steps

It is recommended to sanitize user inputs (quotes, slashes, etc.).

Lines of code

https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-bio-protocol/src/Bio.sol#L101

Vulnerability details

Impact

Bio.tokenURI() function returns an encoded SVG that is supposed to be parsed by a browser or another tool. A hacker can inject a malicious script in the SVG element by minting Bio NFT with a bio with a javascript <script>...</script>. Depending on how this SVG element is loaded on a webpage it may lead to a user fund stealing.

Proof of Concept

For example, consider the following SVG that has a script inside:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS");
  </script>
</svg>

If it is inserted in a webpage via embed element, then the script will succesfully run:

<embed type="image/svg+xml" src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICBhbGVydCgiWFNTIik7CiAgPC9zY3JpcHQ+Cjwvc3ZnPg==" />

It may allow hacker to steal user funds by modifying the website's wallet logic.

Another vectors are described in https://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do

Tools Used

x

Recommended Mitigation Steps

It is recommended to sanitize user inputs (quotes, slashes, <, >, etc.).