Once NFT is minted anyone can trigger NextGenCore::tokenURI to retrieve JSON data with the details and generated svg image.
The issue is that function NextGenCore::tokenURI is vulnerable to JSON injection and it is possible to inject characters into the collection fields that would completely alter the integrity of JSON data.
This could lead to issues like incorrect data display and security issues. Some examples of the attacks that can be carried:
Attacker might create a GenCore NFT collection that mimics copies the name of different GenCore NFT collection.
Attacker might change the generated svg image to completely different one.
Attacker might point image to external URL.
Attacker might trigger cross-site scripting attacks if the data from JSON is not properly handled.
Proof of Concept
A scenario where the collection name is submitted as the following :
Cool Token" }, { "extra": "injected data
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/NextGenCore.sol#L343-L357 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/NextGenCore.sol#L131-L138
Vulnerability details
Impact
Once NFT is minted anyone can trigger
NextGenCore::tokenURI
to retrieve JSON data with the details and generated svg image. The issue is that functionNextGenCore::tokenURI
is vulnerable to JSON injection and it is possible to inject characters into the collection fields that would completely alter the integrity of JSON data.This could lead to issues like incorrect data display and security issues. Some examples of the attacks that can be carried:
Proof of Concept
A scenario where the collection name is submitted as the following :
Cool Token" }, { "extra": "injected data
Intended JSON structure :
JSON structure with the problematic input
In this altered JSON, the input has broken out of the name field and added an entirely new object ({ "extra": "injected data") to the JSON.
Tools Used
Manual review
Recommended Mitigation Steps
It is recommended to properly encode collections data to make sure it cannot alter returned JSON data.
Assessed type
Other