How OpenSea allows Cross-Site-Scripting Attacks (XSS)
Did you know that OpenSea allows us to inject any custom code into their StoreFront via MetaData returned by a SmartContract, virtually performing an XSS attack, even without requiring advanced XSS techniques?
What is cross-site scripting?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. In the current example with OpenSea, any artist or publisher could feed custom code without having to use any major tricks
That’s when I got curious and wanted to take a look. Here we go.
The SmartContract behind this particular token was deployed on Rinkeby Testnet at https://rinkeby.etherscan.io/token/0x2f3ee0ace02c71bc82863a28633c0f983a5435bb:
According to OpenSea, this contract is based on ERC721. This standard defines a function that will be used to get the real token-Data: tokenUri.
The tokenURI function returns the following URL to IPFS. IPFS is an immutable and distributed file storage system commonly used in the NFT space to protect the actual image files and their corresponding data:
… which will point to a JSON document that contains the following data:
How to avoid these attacks?
Since this topic is far beyond the scope of this blog post, I refer to the experts (and every web developer should read this if they haven’t already):