Description of the Discovered Bug: DOM XSS in Epic Games System
Bug Name: DOM Cross-Site Scripting (XSS)
Severity: Critical
Description:
A critical vulnerability, identified as DOM Cross-Site Scripting (XSS), has been discovered in the Epic Games system. This security flaw allows an attacker to manipulate the Document Object Model (DOM) of a web page, executing malicious scripts in the browser. As a result, unauthorized actions can be performed on behalf of users, leading to the exposure of sensitive information.
Impact:
The exploitation of this DOM XSS vulnerability has significant consequences, including:
– Unauthorized Actions: Attackers can execute arbitrary scripts within the user’s browser session, potentially leading to unauthorized actions being performed.
– Exposure of Sensitive Information: User session tokens, credentials, and other sensitive information can be stolen.
– Phishing Attacks: Attackers can craft malicious payloads that, when processed by the browser, execute harmful scripts, leading to phishing attacks and further exploitation.
– Compromise of User Accounts: By hijacking sessions, attackers can gain unauthorized access to user accounts and sensitive data.
Technical Details:
DOM XSS attacks exploit client-side code vulnerabilities by manipulating the DOM environment in the browser. Unlike traditional XSS, which relies on server-side vulnerabilities, DOM XSS occurs when the client’s script modifies the DOM in an unsafe way based on user input.
In this particular instance, the DOM XSS vulnerability was found in a JavaScript function of the Epic Games web application. By injecting a malicious script into an input that the function processes, the attacker was able to alter the DOM in a way that executed the script in the user’s browser. This enabled the attacker to steal session tokens and perform unauthorized actions on behalf of the user.
