Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlif

On August 24th, 2022, researcher reported a vulnerability to Netlify affecting their Next.js “netlify-ipx” repository which would allow an attacker to achieve persistent cross-site scripting.

Introduction

With the introduction of Web3 browser extensions like Phantom, Metamask, and Coinbase Wallet, there has been an increase of seemingly “static” websites which allow users to interact with blockchain networks like Ethereum and Solana directly from the browser. The majority of these static cryptocurrency websites are written in Next.js and run on top of Netlify, Vercel, and Github pages.

One of the reasons we suspect that nearly all of these websites use Next.js is because of how supported Web3 functionality is within the Next.js ecosystem. There are many libraries that make it easy to work with browser extension wallets, so developers choose to build with them.

Since these sites don’t typically store sensitive information, have state changing functionality, or have many traditional elements of interactive websites (login, registration, profiles, etc.) it’s easy to assume that they lack any interesting server-side functionality. After investigating these frameworks for a few months however, we realized that this was not the case due to the many server-side components that run on top of Next.js.

How do static Web3 websites differ from a security perspective?

When approaching lightweight JavaScript websites which run on Next.js from a security perspective, the following changes in the traditional CVSS model for the targets:

Integrity (the most important security element for Web3 websites):

• Becomes the most sensitive CVSS element. Users have to trust that the website they’re visiting isn’t returning incorrect information.
• If an attacker was able to modify the HTTP response to include a malicious contract or tamper with the client’s data when it is sent to the contract, they could trick users into signing a transaction which would approve an attacker to access any of their tokens and NFTs.
• The cryptocurrency ecosystem does not currently have a convenient way to validate that the contract address being interacted with belongs to the website owner. The average user will not validate that the contract they’re interacting with is correct when performing actions on a website they trust.