By louis88 on Skatehive
I gonna call it day. But... ...in this blog post, I’d like to look back on the work I’ve done today – partly as a summary for myself, but also to show you all what I’ve managed to accomplish today! It’s now 10:30 p.m., and I started my work researching security vulnerabilities in the HIVE ecosystem around midday. First, I went through a few audits from last week to see if I’d missed anything, and I had something in mind that I’d been wanting to test for a long time. Namely, Witnesses can include a description along with their parameters for the blockchain, as well as a URL for their Witness announcement post or whatever—most use their profile or their project. And that’s exactly where I wanted to start and see what might happen—and yes, something did happen. I started by using my brother’s witness and entered various XSS payloads as URLs... from standard javascript:// to frontend-specific variables, I tried out about 50 different payloads and have to say—sure enough, the frontends I te