A test suite to check for client-side script injection on websites that display NFTs.
NFTs contain a variety of metadata and content that gets processed and rendered all over the place. Some subspecies of NFTs (e.g. generative art) explicitly require arbitrary scripts to be executed. Allowing user-supplied code while preventing malicious actions is challenging. Rektosaurus implements a number of attacks to help test for client-side attacks.
To deploy your instance of Rektosaurus, clone the repository and create an .env
file containing your API and wallet keys.
ALCHEMY_MAINNET_API_URL = "xyz"
ETHERSCAN_API_KEY = "xyz"
PRIVATE_KEY_ETHEREUM = "xyz"
Update the config and deploy script to your liking and run:
$ npx hardhat run scripts/deploy.js
Note that you'll have to mint or batchmint the NFTs for them to show up on marketplaces.
Replace INSERT_YOUR_CALLBACK
in payloads directory with your preferred callback URL such as interact.sh or Burp Collaborator.
An instance of the smart contract is live on Mumbai. Payloads are hosted on rex.rektosaurus.io.
Please submit your payload ideas via pull request and I'll add them to the webserver.