Some SPS-Validator Frontend Tests ... proactively Testing things... by louis88

View this thread on: hive.blog | peakd.com | ecency.com

hive-13323 · @louis88 · Mar 12

$11.83

Some SPS-Validator Frontend Tests ... proactively Testing things...

Over the past few days, I have been working a little more with the SPS Validator software and doing various tasks. As some of you already know, I like to work as a pentester, security researcher or ethical hacker in my spare time. At first, we only had the frontend at https://thespsdao.github.io/SPS-Validator/ to cast our votes for SPS validators and initially focused on the input fields that are available there. Technically, I simply write something in an input field, which in turn is written to the blockchain and output again a little later at a specific location. My approach here was to test stored XSS, which I have already done very often with other hive services. I must have tried around 50 different ways of writing code to the chain in order to break through the HTML displayed on the website and execute code. I made many attempts - nothing worked. This is great and actually exactly what I had in mind.

Then I tried the same inputs again to test the frontend of Monstermarket. In this case, the inputs you enter are also rendered in special places. Again, everything was great and, as expected, I was unable to break through the rendered HTML and execute code. Perfect!

Then last but not least, Peakmonsters released their validator page and focused my work in that direction. Here, too, I have tried many different forms of payloads to inject code that doesn't belong there. I know the team behind Peakmonsters well and know that they produce very good and secure code. I haven't found any errors at Peakmonsters either and I have to say that I'm satisfied with how all the frontends have been implemented at this point. Three thumbs up! 👍👍👍

However, during all my work and research I noticed something that might be a problem? I don't know if you can break out of Docker logs - I'm not experienced enough at this point to make a statement - but as some validators may have observed, I was able to successfully use the Docker logs for advertising ;) Nothing earth-shattering but still a pretty funny thing in my opinion.

![image.png](https://files.peakd.com/file/peakd-hive/louis88/23swc1ry4s6GVxhYSRaPpbiaJCyyZRVBsmvLdrdHgTZKe368YoTN2fcBCTniCEz8gvoDm.png)

![image.png](https://files.peakd.com/file/peakd-hive/louis88/23tS2bqoZqYnnjkv16HWMzC2FTNZcBzXhMsu3QNWptZM4tJMAHbp8S1UxdJ3mpdzkNkAC.png)

Why am I doing this? Quite simply! I just want us to be safe here on Hive / Splinterlands and in our entire ecosystem and therefore I proactively invest my time and knowledge to test things.

Thank you!

👍 smartsteem, solominer, jedigeiss, mangos, detlev, condeas, boomerang, therealwolf, uwelang, cur8, bravetofu, fw206, germansailor, arcange, sbi6, cst90, bluerobo, jeffjagoe, godfish, bozz, marjanko, reinhard-schmid, splinterboost, sunsea, seattlea, apshamilton, therealyme, rivalzzz, reconnectnature, jeanpi1908, obvious, bil.prag, uadigger, alexvan, hatoto, honeydue, beerlover, cervisia, solarwarrior, simba, melvin7, kobold-djawa, ogfox, rcshad0w, hornet-on-tour, travoved, sc000, properfraction, sparschwein, hive.pizza, cryptoriddler, shaka, drricksanchez, backinblackdevil, hiveonboard, walterjay, grider123, terraboost, udabeu, epicdice, dreimaldad, jlufer, linuxbot, karizma, and 200 others

`author`	louis88
`permlink`	some-sps-validator-frontend-tests--proactively-testing-things
`category`	hive-13323
`json_metadata`	{"app":"peakd/2025.2.3","format":"markdown","author":"louis88","tags":["sps","validator","splinterlands","community","hive","blog","security","testing","hacking","pentest"],"users":[],"image":["https://files.peakd.com/file/peakd-hive/louis88/23swc1ry4s6GVxhYSRaPpbiaJCyyZRVBsmvLdrdHgTZKe368YoTN2fcBCTniCEz8gvoDm.png","https://files.peakd.com/file/peakd-hive/louis88/23tS2bqoZqYnnjkv16HWMzC2FTNZcBzXhMsu3QNWptZM4tJMAHbp8S1UxdJ3mpdzkNkAC.png"]}
`created`	2025-03-12 21:02:21
`last_update`	2025-03-12 21:02:21
`depth`	0
`children`	8
`last_payout`	2025-03-19 21:02:21
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	5.928 HBD
`curator_payout_value`	5.898 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	2,524
`author_reputation`	1,194,067,927,799,267
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,391,751
`net_rshares`	34,905,393,034,901
`author_curate_reward`	""

properties (23)vote details (264)

voter	rshares	pct
simba	120,302,615,335	100%
leprechaun	2,712,110,772	22.75%
roelandp	8,447,475,907	0.37%
jeffjagoe	434,239,214,673	100%
arcange	523,461,517,211	5%
quigua	13,680,380,648	100%
logic	24,634,850,959	80%
shaka	43,870,466,611	50%
germansailor	539,142,920,477	100%
sabine-reichert	3,894,313,015	100%
netaterra	5,623,527,454	15%
jlufer	30,759,656,277	100%
uwelang	1,149,186,445,355	35%
freiheit50	686,635,976	100%
webhoster	995,919,953	100%
discovereurovelo	1,191,361,419	0.75%
rach	743,975,470	100%
mangos	2,796,492,720,752	43%
funnel	1,305,701,426	2%
doodleman	957,763,697	50%
walterjay	40,863,541,082	1.62%
alexvan	145,160,241,248	100%
kobold-djawa	90,826,716,603	100%
steemitboard	9,586,596,451	5%
fronttowardenemy	4,162,144,910	1.5%
ganjafarmer	905,320,711	0.5%
detlev	2,130,624,188,749	100%
lizanomadsoul	2,640,356,876	1.5%
reconnectnature	172,375,905,886	88%
josequintana	709,783,478	20%
uadigger	149,947,065,231	100%
grider123	36,800,792,049	100%
unatalmaria	126,684,463	100%
marcevhc	0	100%
roomservice	1,841,336,236	75%
monoc	23,431,108	100%
cryptoriddler	45,637,258,171	100%
anfitriones	128,948,889	100%
jeanpi1908	169,162,649,585	100%
cardumen	8,310,012	100%
chinito	2,638,304,415	18%
princessmewmew	1,943,893,052	0.75%
joeyarnoldvn	520,259,014	1.66%
grocko	902,234,311	1%
godfish	433,859,176,747	50%
kaminchan	14,874,746,780	51%
shebe	463,443,326	6%
ctf	3,019,162,540	100%
reinhard-schmid	313,279,306,199	100%
kimzwarch	16,037,644,045	4%
sportschain	943,985,001	50%
jedigeiss	2,821,430,422,040	100%
rmp	3,684,894,683	100%
aidefr	531,016,361	2.6%
sorin.cristescu	5,757,501,902	1%
therealwolf	1,473,077,736,105	100%
espoem	15,729,739,568	5%
boomerang	1,619,574,028,384	100%
honeydue	129,432,770,508	30%
calimeatwagon	2,192,579,411	35%
curatorem	410,293,733	100%
silasvogt	966,358,366	50%
tixinhacapitinha	2,606,154,862	100%
feo	1,017,014,103	100%
sourovafrin	4,328,708,903	60%
sunsea	265,080,191,888	100%
smartsteem	4,739,212,167,145	100%
xsasj	2,042,756,129	1.5%
travoved	74,259,428,965	100%
itchyfeetdonica	5,802,637,473	0.75%
rcshad0w	80,027,102,447	100%
cervisia	123,498,793,647	73.16%
obvious	162,896,613,340	100%
robotics101	970,960,352	3.25%
sneakyninja	2,768,732,647	3.99%
nataliabuchynska	10,429,724,541	100%
pignus	2,651,239,240	100%
fiducia	0	100%
kissi	15,349,947,542	67.5%
gabrielatravels	1,034,081,233	0.52%
nerdtopiade	29,166,392,697	60%
changue	375,776,599	100%
manncpt	2,862,047,638	1.5%
jnmarteau	565,757,126	1.5%
udabeu	36,210,062,447	33%
jazzhero	572,233,190	0.75%
tomhall	29,223,355,095	100%
condeas	2,031,012,869,162	100%
bozz	380,318,493,885	20%
cst90	450,315,659,827	100%
movement19	1,033,562,971	3.75%
matschi	5,349,956,786	90%
melvin7	96,685,590,429	30%
jagoe	457,314,960	100%
letsplaywhatelse	2,089,787,215	75%
photobook	15,511,296,255	100%
backinblackdevil	42,792,656,422	100%
properfraction	62,794,052,497	100%
lauchmelder	2,567,214,358	50%
bil.prag	159,388,075,051	16%
sonius94	622,943,078	50%
ravenmus1c	2,085,984,586	0.1%
rivalzzz	206,845,485,419	100%
adamada	1,160,626,962	1%
teungkulik	26,572,706,617	100%
makney	4,358,368,018	100%
greddyforce	1,515,787,091	0.75%
hornet-on-tour	75,748,154,881	50%
juanmcar	10,138,333,335	100%
c0wtschpotato	11,818,511,148	50%
themightyvolcano	22,470,736,628	100%
dreimaldad	34,443,506,885	40%
emitste	1,504,450,884	100%
tresor	618,367,101	20%
achimmertens	8,897,579,482	2.5%
kgakakillerg	21,414,445,972	10%
flores39	2,718,703,504	100%
retard-gamer-de	1,342,042,610	50%
solominer	3,315,949,495,824	15%
fw206	910,293,350,858	11%
hatoto	141,706,736,289	20%
crypticat	2,526,739,075	0.75%
helpyou	8,393,341,728	100%
iamtom	620,696,756	75%
gerusan	2,728,278,203	100%
solarwarrior	121,526,297,501	100%
the.rocket.panda	5,187,471,834	100%
decepticons	857,099,933	30%
k3ldo	627,100,273	30%
apshamilton	227,710,307,373	15%
marjanko	364,128,444,652	100%
sbi6	475,169,413,325	59.65%
abcor	11,017,258,685	100%
carl05	3,476,377,535	6%
keepinitsteem	7,392,338,018	100%
thedailysneak	3,646,096,974	3.99%
unidos	3,092,640,694	100%
ro-witness	15,012,213,345	100%
gameexx	6,710,531,141	70%
vixmemon	9,010,269,131	30%
voxmortis	19,140,442,930	10%
babysavage	1,424,773,092	7.99%
ravensavage	728,158,369	7.99%
muscara	9,899,147,183	20%
piensocrates	559,788,975	20%
legendarydragons	6,841,487,423	100%
besheda	2,784,460,254	100%
nujzzmc	504,050,705	50%
linuxbot	30,421,298,334	100%
kizumo	822,739,028	100%
bluerobo	443,830,941,404	100%
j-p-bs	2,189,529,027	100%
riyuuhi	1,730,223,166	100%
kakakk	14,367,719,021	100%
victor-alexander	16,569,870,476	100%
monsterchiller	609,252,569	18%
northmen	792,716,213	100%
monster.oo7	6,135,681,788	100%
a1004	2,014,484,008	100%
broxi	24,342,471,457	100%
photoparadise	4,416,898,208	25%
driveforkids	1,628,786,532	22%
limka	215,135,045	98.76%
steemmonsterking	1,338,262,573	100%
hungryharish	25,765,161,495	100%
sophieandhenrik	4,989,231,292	25%
hungryanu	3,326,136,001	50%
steemcartel	4,684,346,242	100%
szf	1,978,292,799	100%
blue.rabbit	3,488,472,038	42%
epicdice	35,150,950,495	30%
coolsurfer	3,419,549,780	100%
sparschwein	52,861,171,953	100%
beerlover	127,782,364,123	100%
dachcolony	3,887,935,941	90%
tinyhousecryptos	455,027,073	5%
cryptomonica	17,996,224,067	100%
steemincome	525,864,237	12%
steemindian	4,315,705,223	100%
davidtron	4,798,001,889	75%
lrekt01	5,261,182,061	80%
scylla1	714,095,112	50%
tokenindustry	1,877,416,846	32.67%
sbi-tokens	6,646,054,328	7.99%
whangster79	3,902,951,944	15%
bilpcoinrecords	1,994,264,239	50%
therealyme	208,989,847,535	15%
axel-blaze	15,646,366,761	30%
dexy50	2,155,854,060	100%
im-ridd	10,025,135,668	50%
bilpcoinbpc	881,799,933	5%
monica-ene	802,272,317	1%
hivebuzz	8,186,728,801	3%
pinmapple	795,005,928	1.5%
hivetrending	6,172,621,026	1.5%
laruche	5,363,900,703	3.25%
bnk	7,428,703,146	20%
hiveonboard	41,349,191,254	75%
hivelist	1,263,247,580	1%
miloshpro	1,878,939,671	100%
recoveryinc	4,872,725,547	7.5%
dying	523,071,912	15%
zaddyboy	571,067,688	10%
netaterra.leo	976,000,570	13.5%
dadspardan	984,001,540	1%
samrisso	5,246,595,383	7.5%
rezfit	5,582,765,067	50%
huzzah	555,131,397	2%
cooperclub	460,092,856	1%
tomtothetom	2,257,645,572	15%
mapetoke	522,610,968	100%
drricksanchez	43,788,181,755	7.5%
hive.pizza	46,901,914,244	2%
mrhoofman	4,348,677,155	25%
dajokawild	1,002,469,924	1%
louis.pay	1,773,234,467	100%
dividendencheck	11,950,276,983	100%
musicandreview	476,209,558	0.75%
playagame	0	9%
seattlea	247,163,357,240	100%
sygxwin	21,353,542,307	100%
acantoni	2,325,076,407	7.5%
snaqz	710,503,240	100%
kesonaichi	459,447,570	100%
ivan-jz4	10,216,171,945	100%
sephiwolf	430,180,463	6%
kisifer	0	100%
bravetofu	999,263,460,198	100%
herman-german	5,943,365,258	50%
crypt0gnome	1,082,919,512	1%
michaelreischer	24,683,518,121	50%
zihadlo	801,915,921	50%
ripusun	26,418,629,048	100%
karizma	30,220,926,592	100%
prosocialise	4,727,429,547	1%
flummi97	0	2%
pero82	4,892,594,951	100%
visionarystudios	10,482,895,876	100%
glimpsytips.dex	8,536,951,584	24%
holykikyo	245,417,721	2%
sc000	64,141,639,339	100%
blackmedschn	9,259,739,476	28.74%
ogfox	83,754,433,897	100%
megstarbies	1,984,150,931	100%
minas-glory	13,926,609,174	100%
cards4rent	7,409,189,008	50%
hive-195880	665,479,373	15%
naters	502,332,383	100%
splinterboost	298,342,944,388	12%
terracore	2,172,211,554	6%
aslamrer	538,228,429	0.75%
samueluche07	1,300,453,106	50%
dandegrischdine	9,534,636,429	100%
terraboost	36,371,564,930	2%
foodiefrens	482,399,293	100%
cur8	1,127,893,218,810	30%
monzo	2,614,061,555	40%
bellscoin	2,990,064,019	100%
menny.trx	792,911,110	15%
dianypds	3,186,850,078	100%
endhivewatchers	0	0.5%
roswelborges	1,243,820,275	10%
custemotion	335,322,079	100%
berlinrebels	3,673,483,806	100%

@bozz · Mar 12

I'm glad to know that monster market and the others are good to go. I have my license delegated to them specifically.

properties (22)

`author`	bozz
`permlink`	re-louis88-2025312t194756338z
`category`	hive-13323
`json_metadata`	{"type":"comment","tags":["hive-13323","sps","validator","splinterlands","community","hive","blog","security","testing","hacking","pentest"],"app":"ecency/3.2.1-mobile","format":"markdown+html"}
`created`	2025-03-12 23:47:57
`last_update`	2025-03-12 23:47:57
`depth`	1
`children`	0
`last_payout`	2025-03-19 23:47:57
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	117
`author_reputation`	2,283,752,108,101,902
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,395,075
`net_rshares`	0

@jackjackson2nd · Mar 12

your effort trying to make Hive/Splinterlands/the entire eco- a safer place- is very much appreciated- great work & have a great day

properties (22)

`author`	jackjackson2nd
`permlink`	re-louis88-st1as3
`category`	hive-13323
`json_metadata`	{"tags":["hive-13323"],"app":"peakd/2025.2.3","image":[],"users":[]}
`created`	2025-03-12 23:33:42
`last_update`	2025-03-12 23:33:42
`depth`	1
`children`	0
`last_payout`	2025-03-19 23:33:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	132
`author_reputation`	1,222,580,059,298
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,394,763
`net_rshares`	0

@sc000 · Mar 12

You're doing a great job and often try things I don't even have on my radar :D

properties (22)

`author`	sc000
`permlink`	re-louis88-st1803
`category`	hive-13323
`json_metadata`	{"tags":["hive-13323"],"app":"peakd/2025.2.3","image":[],"users":[]}
`created`	2025-03-12 22:33:39
`last_update`	2025-03-12 22:33:39
`depth`	1
`children`	2
`last_payout`	2025-03-19 22:33:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	78
`author_reputation`	1,490,851,416,253
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,393,555
`net_rshares`	0

@isnochys · Mar 16

Thank you for your [witness vote](https://hivesigner.com/sign/account-witness-vote?witness=isnochys&approve=1)!
 Have a !BEER on me!
To Opt-Out of my witness beer program just comment STOP below

properties (22)

`author`	isnochys
`permlink`	re-re-louis88-st1803-20250316t222700z
`category`	hive-13323
`json_metadata`	"{"app": "beem/0.24.26"}"
`created`	2025-03-16 22:27:03
`last_update`	2025-03-16 22:27:03
`depth`	2
`children`	0
`last_payout`	2025-03-23 22:27:03
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	194
`author_reputation`	47,850,827,855,444
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,477,610
`net_rshares`	0

@isnochys · Mar 23

Thank you for your [witness vote](https://hivesigner.com/sign/account-witness-vote?witness=isnochys&approve=1)!
 Have a !BEER on me!
To Opt-Out of my witness beer program just comment STOP below

👎 spaminator

`author`	isnochys
`permlink`	re-re-louis88-st1803-20250323t220951z
`category`	hive-13323
`json_metadata`	"{"app": "beem/0.24.26"}"
`created`	2025-03-23 22:09:54
`last_update`	2025-03-23 22:09:54
`depth`	2
`children`	0
`last_payout`	2025-03-30 22:09:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	194
`author_reputation`	47,850,827,855,444
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,635,085
`net_rshares`	-4,279,437,116
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
spaminator	0 B		-4,279,437,116	-0.25%

@splinterboost · Mar 12

 <center> This post has been supported by @Splinterboost with a 12% upvote! Delagate HP to Splinterboost to Earn Daily HIVE rewards for supporting the @Splinterlands community!</center> 

 <center> [ Delegate HP ](https://peakd.com/@splinterboost)  | [Join Discord](https://discord.gg/RK4ZHKmgcX) </center>

properties (22)

`author`	splinterboost
`permlink`	some-sps-validator-frontend-tests--proactively-testing-things
`category`	hive-13323
`json_metadata`	{"app":"splinterboost/0.1"}
`created`	2025-03-12 21:02:42
`last_update`	2025-03-12 21:02:42
`depth`	1
`children`	0
`last_payout`	2025-03-19 21:02:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	306
`author_reputation`	13,814,076,198,674
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,391,756
`net_rshares`	0

@vixmemon · Mar 14

Did you also scan the logs for PII or SPI data?

properties (22)

`author`	vixmemon
`permlink`	re-louis88-st3ff3
`category`	hive-13323
`json_metadata`	{"tags":["hive-13323"],"app":"peakd/2025.2.3","image":[],"users":[]}
`created`	2025-03-14 03:09:06
`last_update`	2025-03-14 03:09:06
`depth`	1
`children`	1
`last_payout`	2025-03-21 03:09:06
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	47
`author_reputation`	8,012,562,744,923
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,419,664
`net_rshares`	0

@louis88 · Mar 14

Nope.

👍 endhivewatchers

`author`	louis88
`permlink`	re-vixmemon-st3wc6
`category`	hive-13323
`json_metadata`	{"tags":["hive-13323"],"app":"peakd/2025.2.3","image":[],"users":[]}
`created`	2025-03-14 09:14:30
`last_update`	2025-03-14 09:14:30
`depth`	2
`children`	0
`last_payout`	2025-03-21 09:14:30
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	5
`author_reputation`	1,194,067,927,799,267
`root_title`	"Some SPS-Validator Frontend Tests ... proactively Testing things..."
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	141,423,564
`net_rshares`	0
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
endhivewatchers	0 B		0	0.5%