The notion of a "weaponized" NFT seems silly at first thought. Traditionally, I think of weapons as things like—katanas, AR-15s, atomic bombs, words—not our precious digital collectibles.

However, not all NFTs are made equal. While many are simply jpegs, pngs, and gifs—generally benign in nature, aside from some of their "visual content" (kek)—there exists a category of NFTs, notably SVGs and HTML files, that are inherently more programmable and "dynamic." These NFTs can be malignant.

At its most basic core, Ethereum is a decentralized and permissionless database. It's a radical departure from traditional web2 database structure, offering anyone the ability to add data without centralized approval or oversight. This always on and always open nature is revolutionary, but it also introduces complexities, especially concerning security.

Web2 security practices typically restrict the type of user input into a database to protect data integrity and end user safety. However, Ethereum's decentralized ethos flips this on its head, creating a playground for trustless innovation and experimentation inside of this global database.

"okay cool its a permissionless database, so what" im getting there...

Websites, at their core, are built on HTML, CSS, and JavaScript. JavaScript's Turing completeness means it can execute almost any computable function. If you can dream it, code it, and run it, JavaScript will do it. Go ahead, imagine all the great things you can do if anything was possible. Now, imagine all of the equally bad things you could do as well. Thats JavaScript!

The specific danger with JavaScript lies in XSS (Cross-Site Scripting) attacks. XSS exploits involve injecting malicious JavaScript into otherwise benign and trusted websites, manipulating them to execute unintended actions upon unsuspecting websites and users.

<script>alert('XSS');</script> //Sample XSS injection

There are different types of XSS attacks, each with unique characteristics and implications, but in this case, we are mostly interested in a "stored XSS" attack. A stored XSS attack literally means that the attacker was able to inject and "store" the malicious JavaScript into the database of the website. If an unsuspecting user happens to come upon this stored malicious script, i.e. XSS payload stored in a forum post, the attack begins. The result of the attack is ultimately up to the intent and expertise of the attacker, but attacks can include things like: Phishing, Wallet Drainer, DOS, Cookie Bomb, Cookie Theft, Drive-by Downloads, Keylogging, Hidden Crypto Miner, etc.

All not good things.

But how does it relate to my precious NFTs? Because instead of each website using its own siloed database like in Web2, each Web3 dApp shares a GLOBAL database that anyone can view and write-to.

This decentralized database doesn't inherently filter user-contributed data for security threats like XSS. This openness can lead to scenarios where if a decentralized application (dApp) doesn't properly sanitize the fetched data before serving it to the client, such as SVGs or metadata within NFTs, it could unwittingly execute malicious scripts through a stored XSS attack exposing you to hidden threats lurking within the Metaverse.


Enter "jaVasCriptguy," a conceptual embodiment of a fully onchain stored XSS threat within the NFT ecosystem. Stored permissionlessly on the Ethereum database with no external storage dependencies, "jaVasCriptguy" is potentially the most immutable and widespread XSS "attack" that currently exists. Any dApp that fetches and populates NFT data directly from the Ethereum database is a potential target for "jaVasCriptguy".

But "jaVasCriptguy" looks cute and harmless. Yes, he is cute, but he's also punk rock!

"jaVasCriptguy" embodies various XSS payloads, increasing in complexity to test for edge cases. While his payloads may not cause any actual harm to end users and is purely for conceptual art enjoyment and educational benefits, they are real XSS injections that could showcase entry points into our precious and young ecosystem. As we talked about above, once entry is made, the sky's the limit (up only! or down only. whatever...).


P.S. If any XSS vulnerabilities are found using "jaVasCriptguy", please immediately report them to the necessary developer team. Please let me know as well so I can add to the lore that is "jaVasCriptguy".

Collect this post to permanently own it.
Subscribe to bushi and never miss a post.
  • Loading comments...