32 sats \ 21 replies \ @nerd2ninja 11 Jan 2023 \ on: Cashu Browser Wallet bitcoin
What is cross site scripting
https://en.m.wikipedia.org/wiki/Cross-site_scripting
:)
reply
calle? Oh goodness fine.
Step 1: Javascript reverse tcp shell
https://github.com/shelld3v/JSshell
Request localhost page from within the shell.
reply
How would anyone except the wallet provider be able to inject this?
reply
We are assuming the user is trying to stream pirated movies and this code is injected via an ad or something (oddly specific I know)
Anyway, its always fun to read: https://stackoverflow.com/questions/6506518/javascript-how-to-read-local-file
This solution was particularly fun to read:
Find below the activeX script to read a local file. (works fine in IE).
var fso = new ActiveXObject("Scripting.FileSystemObject"); //specify the local path to Open var file = fso.OpenTextFile("C:\\your path\\ filename", 1); var fileContent = file.ReadAll(); file.Close(); //Parse the contents // ex: if the content is in JSON format var obj = eval('(' + fileContent+ ')'); for (var i = 0; i < obj.length; i++) { //Access each element alert(obj[i].name); }
"But this is patched out! Everyone uses chrome or edge now. IE is deprecated and so is ActiveX!"
Yeah well we use old vulnerabilities to guess what the new vulnerabilities might look like in the future (a lot of vulnerabilities are the same mistakes made in new code) If you're really looking for a 0 day just to be convinced not to put money in your browser maybe go to 0 day today or something lmao
Looking through CVEs can be informative too:
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/Google-Chrome.html
It also usually isn't 1 exploit and everything is gone. A lot of exploits that get an attacker a foothold might be written off as "yeah but they don't have admin privileges" for example, but getting admin privileges is a different step. "Privilege escalation"
The hacker methodology for those who don't know is
Planning
Footprinting - Getting information about the target without interacting with the target system. (Looking up who works at a company on social media for example)
Scanning - Using what was learned during footprinting to gain more information in a direct way. Typically port scanning, but in social engineering, this would be asking an employee questions, or people who know that employee questions about the employee
Enumeration - Deconstructing information gained during the scanning phase to determine a useful exploit that might be performed on the target. In social engineering, this would be figuring out based on the questions you asked the employee, how they might respond to certain situations.
Exploitation
System hacking - This is where you perform the exploit. You are not on the computer or in general have access to the system. Again, do not limit this to remote access. This could be physical access.
Escalation of privilege - This is where you gain higher level permissions on the target system
Post Exploitation
Covering Tracks - Erasing and planting false logs on the target system to hide that you're there
Planting backdoors - Allows for you to easily get back into the system without going through all the previous steps.
After one system is exploited, the process starts over to attempt to gain access to the next system within the same network or otherwise connected to the same system.
If you post about your money on social media, this enables the footprinting phase
If you are comfortable talking openly about yourself, this enables the scanning phase (at least in terms of social engineering)
If you react without thinking, knowledge that you react in this way would be gained during the enumeration phase.
I was going to talk about extra vulnerabilities browser extensions can create, but I'll save that for a different time.
So anyway, as you can see, when I think about my security, I might think about how it could have been done with an older version of software, partly because people may still be running old software, but also because if we know about an exploit, it gets patched. So instead, I might look to old vulnerabilities to inform myself for what to look for in new code, or if I can't do a code review, I might apply general security practices that can help me even if I were running old known vulnerable software because it keeps me the most safe. There have been so many browser exploits over the years in particular, that it should be general practice at this point, not to do anything web related that would have consequences that are too dire if it were exploited.
reply
Nice write-up. A little bit on the paranoid side, but i mean this as a good thing. I tend to do the same when thinking about exploits. Sometimes it "doesn't sound realistic" or "black swany" but it's still a good mental exercise to go through possible vulns
reply
Its not really that paranoid though. The web browser is the most targeted and attacked software we use.
reply
Thanks for this super detailed post! I agree with all you've said.
That said, I don't think that ecash web wallets are the end of the story. There is a Python and a Golang CLI client already as well. We have to prove that the protocol is easy to implement, and that's what @gandlaf21 has achieved here miraculously!
reply
Yeah I wasn't saying ecash bad because web browser rather just use ecash in a more secure way.
Could make a GUI wallet: https://github.com/AndyObtiva/glimmer
I don't know anything about how to program an ecash mint though.
A concern I have about ecash though, I would personally make each ecash mint distinctly different to avoid one mint going bad causing all mints to be diluted. This is because of Gresham's law. You know, make each ecash token wallet clear as to which mint it belongs to.
Browsers are also insanely complicated virtual machines that execute code downloaded on-demand. Absolutely wild environment.
reply
Thank you!
solid post.
reply
The app has only local persistence, how can that be attacked with xss? Honest question, i might be missing something
reply
Well the wiki is trying to talk about all xss, but the particular one I was thinking of is the clever attack where you make a keylogger with JavaScript or CSS and its able to gather what you type even if the danger site is merely tabbed away.
reply
oh! feel free to audit ;) code is open-source.
It's good to be cautious though, so I understand if you don't wanna expose yourself. You can spin up a VM and open the site in there, then you don't have to trust me.
You should be doing that anyway, since most of the Internet runs on JS.
reply
Well I didn't mean you put a keylogger in your code, I just meant someone could visit a website that has a keylogger and then keylog a cashu token in order to take money.
The larger point being "Yo can we stop trying to put our money in web browsers?" lol
reply
I got you now!
True.. that is a big issue. Also why we should move on from passwords.
I would hope these kind of apps only hold amounts that are not worth stealing. Pennies or maybe a couple bucks
reply
Yes! Holy shit the password is so fucking dead. Try to make a password you can remember? Get rainbow tabled. Work hard to learn a difficult password? 1 website gets hacked and now all your accounts are compromised. Password manager? Password manager stores passwords on their server and that server gets hacked. 2fa? Sim swapping.
Just use asymmetric cryptography already!
reply
Hell yeah!
The only fear I have wit PubK PrivK is that the Elliptic curve doesn't offer password reset.. heheheh
reply
Bitcoin also doesn't offer password reset, but because of Bitcoin we've developed some really good methods for balancing security and availability like geo-disbursed multi-sig
" able to gather what you type even if the danger site is merely tabbed away"
What vulnerability allows an inactive tab to gather what's typed outside of its context?
There are many vulnerabilities on the web but most big browsers have pretty good sandboxing with regard to tabs.
reply
I was going to write a whole post about how it is so so so much worse than this, but then I decided I didn't want to give anyone any ideas lmao
reply