Reflected Cross-Site Scripting (XSS) in HTML Routes

Description

The lensmint-public-server serves raw HTML responses for the following routes:

• /verify/:claim_id
• /claim/:claim_id

When a claim is not found in the database, the server directly injects the user-provided claim_id parameter into the HTML response without sanitization.

This allows user-controlled input to be rendered inside the HTML page, creating a Reflected Cross-Site Scripting (XSS) vulnerability.

Impact

An attacker can craft a malicious URL containing a JavaScript payload.

If a victim visits this URL, the injected JavaScript will execute in the victim's browser.

This could allow the attacker to:

• Steal cookies
• Capture session tokens
• Perform actions on behalf of the user
• Redirect users to malicious websites

Reproduction Steps

1. Ensure the lensmint-public-server is running locally on port 5001.

2. Open the following URL in a browser:

http://localhost:5001/verify/<script>alert('XSS_VULNERABILITY')</script>

3. Since the claim ID
   <script>alert('XSS_VULNERABILITY')</script>
   does not exist in the database, the server returns the 404 HTML template.

4. The browser executes the injected script, resulting in an alert box appearing.

Code Reference

File: lensmint-public-server/server.js
Lines: 249–268

if (!claim) {
  return res.status(404).send(`
    <!DOCTYPE html>
    <html>
    <head>
      <title>Claim Not Found</title>
      <!-- ... styles ... -->
    </head>
    <body>
      <h1 class="error">Claim Not Found</h1>
      <p>The claim ID "${claim_id}" does not exist.</p> <!-- 🚨 VULNERABILITY HERE -->
    </body>
    </html>
  `);
}