Leek NFT challenge#0223 — Intigriti
Prashanth BodepuTable of contents
Challenge Overview
Challenge Link: https://challenge-0223.intigriti.io/
Challenge By: @x64pr0fessor
This challenge demonstrates a potential Cross-Site Scripting (XSS) vulnerability by allowing image uploads with unvalidated metadata, which an attacker can manipulate to inject malicious code.
Objective
The primary goal of this challenge is to inject a script that triggers an alert box within the application, verifying the presence of an XSS vulnerability.
1. Reconnaissance and Analysis
Application Behavior
The application allows users to create an NFT called "Leek NFT" by uploading an image, which serves as the NFT background. Upon successful image upload, a confirmation message is displayed along with a unique identifier, likely a UUID, which references the uploaded file.
- Upload Confirmation: After uploading an image, users receive the message,
"file uploaded successfully to [UUID]".
- Redirect: Clicking "Save" redirects the user to the main NFT display page, although no visible changes appear on the page.
Analyzing the Upload Function
Examining the page source (view-source:https://challenge-0223.intigriti.io/view?viewId=[UUID]) reveals that the application retrieves specific metadata fields, including UserComment, DateTimeOriginal, and OwnerName, from the image's Exif data. This metadata is then inserted directly into a JSON string as the variable imjobj.
2. Vulnerability Analysis
Identified Security Weakness
The application’s vulnerability lies in its handling of user-submitted image metadata, which is concatenated without proper sanitization. This flaw exposes the application to potential XSS attacks, as attackers can inject malicious data into imjobj, particularly in the UserComment metadata field.
Root Cause: The image metadata is embedded as JSON strings without adequate input validation or sanitization.
Impact: An attacker can manipulate this JSON data to insert scripts or other malicious payloads, bypassing hardcoded values by adding duplicate keys.
3. Exploitation Steps
Crafting the Malicious Payload
In JavaScript, JSON.parse() processes duplicate keys by selecting the last occurrence of each key. This allows an attacker to add a new instance of the imgName key with a malicious value.
Example Payload Format:
{
"imgName":"NFT.jpg",
"imgColorType":"02/14/2023, 20:09:16",
"imgComment":"0xPrashanth",
"imgName":"<img src=x onerror=alert(document.domain)>"
}
Here, the second imgName key contains an embedded XSS payload that triggers an alert displaying the document domain.
Using exiftool to Inject Payload
To craft this payload, you can use exiftool to insert the malicious script into the UserComment field of the image metadata.
FYI:
Consider the below case:
{
"key1":"Naruto",
"key1":"Gojo"
}
The final value of key1 would be Gojo. Because, as mentioned above JSON.parse() would always take the value of the last key for multiple keys with the same name.
With the above information, we could craft a payload in the imjobj JSON string
{
"imgName":"NFT.jpg",
"imgColorType":"02/14/2023, 20:09:16",
"imgComment":"0xPrashanth",
"imgName":"<img src=x onerror=alert(document.domain)>"
}
To achieve the above format inject the payload in the imgComment field using ExifTool:
exiftool -UserComment='pr0shx", "imgName": "<img src=x onerror=alert(document.domain)>' image.png
4. Execution and Verification
After uploading the payload-injected image and saving it, the alert box should appear within the application's domain, demonstrating that XSS is successfully executed through metadata injection.
5. Remediation Strategies
To prevent this type of attack, developers should:
Sanitize User Inputs: Properly sanitize all user-provided metadata fields, including Exif data, to filter out potentially dangerous code.
Use Secure Data Handling: Instead of concatenating strings to create JSON objects, construct the objects directly within the application logic to prevent injection.
Restrict Metadata Parsing: Limit the types and sources of metadata the application processes to reduce the attack surface.
Prepared by Prashanth in collaboration with Pawel.
Subscribe to my newsletter
Read articles from Prashanth Bodepu directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by