SteemLiberator - XSS Test And Results - Aka .. Why You Should Sanitize All User Input

Preface

Some of you may be aware that my interests align heavily with that of security. My interest in security and hacking is ultimately what let me down the path of cryptocurrency in the first place. I participated in an ARG (Alternate Reality Game) online hosted by the infamous Cicada 3301 and actually got to the end. This challenge spurred inside of me an intense desire to learn more about the computers and networks that we rely so heavily upon in our society. Everything from your car to your television to your baby monitor can often be controlled by computers (and this means they can be hacked or made to do unexpected thing). This is the entire idea around security when it relates to information technology.

Hackers often find it easiest to circumvent the firewalls and blocking mechanisms you hear about through their use of innovative workarounds. One such workaround is known as XSS or Cross Site Scripting. XSS is an effective means of hacking websites that leave themselves vulnerable. Often times, the hacker is able to traverse beyond the hacked server and reach actual clients browsing the websites.

Today, I would like to present a simple example of how effective XSS can be, especially when it is paired with a shared database (the blockchain).

XSS Test And Results

There are many many ways to test XSS attacks. One of the most effective, and free, versions that people often utilize when performing basic security assessments is the open source XSSHunter. XSSHunter enables security researches to be able to quickly generate high quality, persistent XSS attacks that will take screenshots of the affected websites, return various other collected information, and help to generate a report. Since we are on Steem and not some corporate office, there would be little benefit of me generating a user based report and attempting to educate those users silently.

Instead, I would like to take the more effective route of making this disclosure completely public and providing my assistance (if asked) for removing the vulnerability discovered.

Autosteem Captured Data

Results

As you can see, Autosteem by @unipsycho is currently affected by XSS levied through the tags field on posts. In theory, an experienced hacker can craft an XSS payload that would interact with the Autosteem website via the logged in user. Someone could then configure Autosteem to automatically vote on their posts for instance.

Aka .. Why You Should Sanitize All User Input

This is a prime example of why you should be sure to never render user input data in an HTML-safe way. Assuming your users are not trying to hack your website or perform some other form of malicious attack is naive at best and possibly very detrimental to your entire user base.

BEeF Could Make This Vulnerability Much More Deadly

Disclaimer:

No sensitive information was collected in this test (aside from client IP addresses, which have not been revealed)
I am offering my services to help the creator of Autosteem remove this particular XSS vulnerability
If you wish to learn more about security please join me in SteemDevs Discord Server and lets create a discussion
All screenshots shown were captured by my XSS payload

Edit 1:

After posting this, I tested a couple more input fields and was able to find https://steemd.com by @roadscape to be affected by XSS through the TITLE field.