UXSS

[seabornlee]

TLDR; Should sanitize RPC URL before saving it to DB. Ensure no JavaScript in the URL.

Introduction Since universal XSS (UXSS) is much more impactful, but lesser known vulnerability than usual XSS, lets start with short introduction.

According to https://research.google/pubs/pub48028/

UXSS (Universal Cross-Site Scripting) is an attack that exploits client-side vulnerabilities in the browser or browser extensions in order to execute malicious code (usually JavaScript) with an access to arbitrary resources (origins). To put it simply: A victim visits a malicious (or hacked / infected ) website and an attacker becomes able to read victim’s GMail contents, private messages on Facebook, and so on, as well as to perform other actions on behalf of the victim: send emails, upload photos, etc.

UXSS allows to break browser same origin policy protections and obtain XSS in the context of any website attacker wants.

This bug is obviously critical when it comes to browsers where user connects his wallet to different dApps. Browser in AlphaWallet app is a great example of the fruitful target for UXSS attacks.

Bug Description Important part of the AlphaWallet Android app is Browser , which allows user to browse the web and conveniently work with dApps.

In order to provide wallet functionality for dApps AlphaWallet Android app injects some javascript into all loaded pages.

It turns out, that chain RPC url is inserted as is inside the injected Javascript. There's no sanitization or encoding done. This leads to UXSS vulnerability in AlphaWallet Browser .

Attack can be performed by any webpage using wallet_addEthereumChain web3 call, to add new chain to AlphaWallet.

Example:

web3.currentProvider.request({
	method: "wallet_addEthereumChain",
	params: [{
		chainId: "0x31339",
		chainName: "Evil Ethereum",
		rpcUrls: ['https://rpc-mumbai.matic.today/x"+alert(document.domain)+"'],
		nativeCurrency: {
			name: "Evil",
			symbol: "Test",
			decimals: 18,
		},
		blockExplorerUrls: ["https://explorer-mumbai.maticvigil.com"],
	}],
});

This will ask user to enable new chain (this is innocuous request, which is not expected to harm users in any way). After agreeing to enable this chain AlphaWallet Browser will be " poisoned " with UXSS payload "+alert(document.domain)+". This piece of javascript will be executed in the context of every page, which user opens in Browser .

This demonstrates that attacker can execute arbitrary JS in the context (origin) of any dApp (and usual websites like google.com).

Impact Described vulnerability allows attacker to inject his own JavaScript code into every AlphaWallet Browser page. It gives attacker ability to modify / redress any of the dApps, which are accessed through the AlphaWallet Browser.

This can be easily converted into stealing user funds by modifying transaction arguments, substituting contract addresses, submitting malicious transactions

Recommendation Perform proper encoding of the RPC url value before injecting it into browser pages.

References https://research.google/pubs/pub48028/ https://www.acunetix.com/blog/articles/universal-cross-site-scripting-uxss/ https://www.youtube.com/watch?v=Yt1a3j-U2zI

Proof of concept Video with reproduction steps https://drive.google.com/file/d/1r649BlnFh2RhtvPIAxqUnnLmVvIurUEn/view?usp=sharing

In AlphaWallet Android app Browser open https://lwsk.s3.amazonaws.com/uxss.html Click "Press me" button and agree to enable new chain. Browser will be poisoned with stored UXSS payload . Try browsing to different pages (home, https://app.uniswap.org/, https://google.com/). Every page will show an alert box with document.domain value, showing in which origin it can execute Javascript code. Note that alert(document.domain) is used here as a most trivial demonstration of the fact that we can inject Javascript and access DOM of different origins.

Attacker can inject arbitrary Javascript, which will redress dApps / modify transaction arguments / substitute contract addresses / submit malicious transactions / steal cookies or other sensitive data.