• Insecure Deserialization
  • Insufficient Logging Monitoring
    		•

    Cross-Site Scripting (XSS)




    Download 0,66 Mb.
    Pdf ko'rish
    bet9/28
    Sana18.12.2023
    Hajmi0,66 Mb.
    #122650
    1   ...   5   6   7   8   9   10   11   12   ...   28
    Bog'liq
    Huaqun Xingjie - A Survey on blockchain Technology and its Security - 2022 March

    Cross-Site Scripting (XSS) 
    Affect Blockchain in some ways 
    Blockchain explorers under XSS attack could display untrusted 
    transaction data; Both Blockchain explorers and wallet under XSS 
    attack could allow access to a private key of a user and control over 
    his/her account. 
    Insecure Deserialization 
    May compromise of Blockchain systems 
    If malicious users control transaction data, Blockchain systems may 
    be compromised by the vulnerable deserialization code. 
    Using Components with 
    Known Vulnerabilities 
    Very common to reuse code for Ethereum 
    smart contracts 
    More than 90% of smart contracts in Ethereum did reuse code, and 
    may contain known vulnerabilities 
    Insufficient Logging & 
    Monitoring 
    The log owners may un-monitor their logs.
    May smart contracts lack of monitoring and hackers may exploit 
    their vulnerabilities without being detected.
    T
    ABLE 
    IV.
    B
    LOCKCHAIN 
    S
    ECURITY 
    R
    ISK 
    C
    ATEGORIES AT 
    L
    OW LEVEL IN 
    [29] 
    S/N 
    Category 

    51% vulnerability 

    Criminal activity 

    Private key security 

    Transaction privacy leakage

    Double spending 

    Criminal smart contracts 

    Under-priced operations

    Smart contract’s vulnerabilities 

    Under-optimized smart contract 
    Another research group presented the Blockchain security 
    at the higher level. They pointed out that like the traditional 
    computing, the Blockchain also faces the potential attacks of 
    Denial-of-Service (DoS), endpoint security, intentional 
    misuse, code vulnerabilities, and data protection, but the 
    details of launching attacks vary [40]. Other than DoS attack, 
    some research work also presented BGP (Border Gateway 
    Protocol) hijacks by manipulating routing advertisements,
    routing attack by delaying the propagation of blocks or 
    isolating some parts of Blockchain network, eclipse attack by 
    isolating a victim from the view of network, EREBUS attack 
    by making malicious transit autonomous systems (ASes) as 
    man-in-the-middle network of Bitcoin nodes to inference the 
    nodes’ decision as a stealthier attack, DNS attacks, and remote 
    side-channel attacks. We put those attacks under network 
    attacks category. Our paper adds one more risk category of 
    human negligence since the human is a weak point in any 
    Journal Pre-proof

    systems. Table V lists six risk categories which may be 
    exploit by attackers to launch attacks. 
    Combining Table III, Table IV and Table V, we come to 
    have the comprehensive view of security risks on Blockchain 
    shown in Table VI. Some other low level security risks such 
    as wallet security, Sybil attacks, personal key security to 
    highlight its importance, and liveness attack, balance attack, 
    timejacking attacks, finney attack, race attack and SelfHolding 
    attack which we put under intentional misuse category are also 
    listed in Table VI. In the table, it is clear that the code 
    vulnerabilities have the most risk surfaces on Blockchain. 
    Under the code vulnerabilities, we divide codes into core 
    software code which Blockchain 1.0 and 2.0 are built upon, 
    and smart contract which only exists in Blockchain 2.0. Under 
    the core software code, we highlight the wallet security since 
    quite a number of attacks hack the wallets.
    T
    ABLE 
    V.
    B
    LOCKCHAIN 
    S
    ECURITY 
    R
    ISK 
    C
    ATEGORIES AT 
    H
    IGH LEVEL

    Download 0,66 Mb.
    1   ...   5   6   7   8   9   10   11   12   ...   28




    Download 0,66 Mb.
    Pdf ko'rish