search

thenewboston-blockchain / thenewboston-python

Python library for thenewboston digital currency.
https://thenewboston.com
MIT License
104 stars 35 forks source link

Validate Recipient Account Numbers for Transactions #44

Closed sno2 closed 3 years ago

sno2 commented 3 years ago

Bug Description Sending transactions with account number recipients that are actually not valid hexadecimal numbers are accepted by the network. This means that all clients that are using our APIs must make sure that they are not vulnerable to XSS attacks (particularly our desktop client).

Steps to Reproduce Steps to reproduce the behavior:

  1. Go to the client app.
  2. Click on Send points button
  3. Enter in ~!@#$%^&*()_+\b1234567890-=[]\;',./{}|:"<>~!@#$%^&*()_+a12345678 as the To (recipient) field.
  4. Enter in some points. After sending, you will see that the transaction was successfully fulfilled.
  5. Go to your transactions tab and see the accepted transactions.

Expected behavior The attempt to add the transactions to the blockchain should be declined due to the account numbers not being a valid hexadecimal.

Actual behavior The transactions were pushed to the blockchain.

Screenshots/Recordings

Transactions showing incorrect hexadecimal account numbers in transaction log

How hackers can use this If I were a hacker, I would simply send a transaction to a fake account number like "><script>$('body').append('<script src="xss"> );</script>______ (or with any of the other XSS options) with the external script automatically sending transactions under the user's account.

OS and Browser

Account Number d84543947090d300910f8d1b9604c0c0a56fafca6cfbe52511c1e31757188bca

How to Create an Account

sno2 commented 3 years ago

Some possible solutions for this are listed on this stackoverflow question.

sno2 commented 3 years ago

Sorry for closing, I accidentally hit the post instead of going to the markdown previewer.