Over the past few days, I have been working a little more with the SPS Validator software and doing various tasks. As some of you already know, I like to work as a pentester, security researcher or ethical hacker in my spare time. At first, we only had the frontend at https://thespsdao.github.io/SPS-Validator/ to cast our votes for SPS validators and initially focused on the input fields that are available there. Technically, I simply write something in an input field, which in turn is written to the blockchain and output again a little later at a specific location. My approach here was to test stored XSS, which I have already done very often with other hive services. I must have tried around 50 different ways of writing code to the chain in order to break through the HTML displayed on the website and execute code. I made many attempts - nothing worked. This is great and actually exactly what I had in mind.
Then I tried the same inputs again to test the frontend of Monstermarket. In this case, the inputs you enter are also rendered in special places. Again, everything was great and, as expected, I was unable to break through the rendered HTML and execute code. Perfect!
Then last but not least, Peakmonsters released their validator page and focused my work in that direction. Here, too, I have tried many different forms of payloads to inject code that doesn't belong there. I know the team behind Peakmonsters well and know that they produce very good and secure code. I haven't found any errors at Peakmonsters either and I have to say that I'm satisfied with how all the frontends have been implemented at this point. Three thumbs up! 👍👍👍
However, during all my work and research I noticed something that might be a problem? I don't know if you can break out of Docker logs - I'm not experienced enough at this point to make a statement - but as some validators may have observed, I was able to successfully use the Docker logs for advertising ;) Nothing earth-shattering but still a pretty funny thing in my opinion.
Why am I doing this? Quite simply! I just want us to be safe here on Hive / Splinterlands and in our entire ecosystem and therefore I proactively invest my time and knowledge to test things.
Thank you!
You're doing a great job and often try things I don't even have on my radar :D
Thank you for your witness vote!
Have a !BEER on me!
To Opt-Out of my witness beer program just comment STOP below
Thank you for your witness vote!
Have a !BEER on me!
To Opt-Out of my witness beer program just comment STOP below
your effort trying to make Hive/Splinterlands/the entire eco- a safer place- is very much appreciated- great work & have a great day
I'm glad to know that monster market and the others are good to go. I have my license delegated to them specifically.
Did you also scan the logs for PII or SPI data?
Nope.