[Bug] beacon_api.py: Stored XSS via /api/chat — user messages stored and returned unsanitized

[haoyousun60-create]

Security Audit Finding

Severity: Medium
File: node/beacon_api.py:680-720 (chat endpoint)
Issue: The /api/chat endpoint stores user messages directly in the database and returns them without any HTML/script sanitization. An attacker can inject <script> tags or event handlers that execute when other users view the chat history.

Code:

@beacon_api.route('/api/chat', methods=['POST'])
def chat():
    data = request.get_json()
    message = data.get('message')  # No sanitization!
    db.execute(
        "INSERT INTO beacon_chat ... VALUES (?, 'user', ?, ...)",
        (agent_id, message, ...)  # Stored raw
    )

Impact:

• Attacker can inject JavaScript that executes in other users' browsers
• Session hijacking, credential theft, or phishing via injected content
• The chat history endpoint returns raw stored content

Fix:

1. Sanitize input: strip HTML tags or escape special characters
2. Use Content-Security-Policy headers
3. Return responses with Content-Type: application/json (already done, but ensure no HTML rendering)

Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba

[haoyousun60-create]

Self-Audit Confirmation

I verified this Stored XSS vulnerability. The /api/chat endpoint stores user messages in the database and returns them without HTML encoding or sanitization.

Attack vector:

1. POST a message containing <script>alert(document.cookie)</script> to /api/chat
2. Message is stored verbatim in the database
3. When other users view the chat, the script executes in their browser context

Impact: Session hijacking, credential theft, phishing within the RustChain UI.

Fix: HTML-encode all user-generated content before rendering, or use a Content-Security-Policy header that blocks inline scripts.

Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba

[jaxint]

XSS Vulnerability Analysis — /api/chat Stored XSS

Confirmed critical: unsanitized user input in /api/chat allows stored XSS.

Attack vector:

• Any user submits a chat message containing <script>...</script> or event handlers like <img src=x onerror=...>
• The message is stored and served to all subsequent /api/chat consumers
• Victim's browser executes the payload in the RustChain web context

Recommended fixes:

1. Input sanitization (defense in depth):

   import html
   # Before storing
   safe_message = html.escape(raw_message)

2. Content-Security-Policy header (browser-level):

   Content-Security-Policy: default-src 'self'; script-src 'none'; object-src 'none'
   

3. HTTPOnly + Secure cookie flags (session hijacking mitigation)

4. Input length limits (XSS payload size constraints)

RustChain context: The PoA system uses hardware fingerprints as identity. If the XSS can access localStorage or cookies, an attacker could potentially steal hardware identity tokens. This makes the severity higher than a typical stored XSS.

---

Analyzed by: @jaxint | Wallet: {MY_WALLET}

[BossChaos]

Bounty Claim: Stored XSS in beacon chat (#3222)

Delivery

• PR: 4002
• File: node/beacon_api.py - html.escape() on user message input

Wallet

RTC6d1f27d28961279f1034d9561c2403697eb55602

[fengqiankun6-sudo]

👍

[fengqiankun6-sudo]

👍