Improving front-end security
The Babylon team was concerned about front-end attacks such as CDN hacks and BGP hijack, and we discussed the appropriate security mechanisms for that.
XSS
The likelihood of XSS (cross-site scripting) in the current system appears to be low. Firstly, there are very few front-end pages, which reduces the attack surface. Secondly, most DOM elements are not easily controllable by users, making it harder to inject malicious scripts. Lastly, the use of Next.js makes it difficult for rendered values to be recognized as HTML tags, providing an additional layer of protection.
However, if an XSS vulnerability were to occur, it could have severe consequences, particularly in relation to the connected OKX wallet. The OKX wallet signs transactions without validating if the transaction data is related to staking. In the event of an XSS attack, an attacker could modify the API endpoint or pollute the transaction data, redirecting the user's UTXO to their own address, conducting an arbitrary transfer of funds.
The primary defense against XSS vulnerabilities would be to exercise caution and follow best practices when adding new code to the staking dashboard or other front-end components interacting with browser extensions like the OKX wallet. This includes validating and sanitizing user inputs, encoding output properly, implementing Content Security Policy (CSP), and regularly updating dependencies to ensure they are free from known vulnerabilities.
CDN hacks
The dashboard is not vulnerable to CDN hacks because it does not load any scripts from external resources.
At the application level, using nonexternal modules and subresource integrity (SRI) could be a way to improve security at the front end. SRI hash calculation is typically performed during the web-application development and deployment stages. Developers calculate the hash values of external resources in advance and include them in the integrity attribute of the HTML. Therefore, the hash values are already set before hacks occur.
BGP hijacking
From the perspective of defending BGP hijacks, RPKI (Resource Public Key Infrastructure) can be a way that helps validate the legitimacy of BGP route announcements. It ensures that the entity announcing a specific IP-address range is indeed authorized to do so. By using a service provider with RPKI implemented, such as Cloudflare or Akamai, they can benefit from an additional layer of protection at the network level more easily. For example, balancer.fi
experienced BGP hijacking before, but Cloudflare was able to issue a warning↗.
Since BGP hijacking is an issue at the network-infrastructure level, it is difficult for the main website itself to completely prevent BGP hijacking. In addition to applying RPKI, consistent monitoring should be conducted to ensure that the routing and AS are correct, as well as the integrity of the main page and third-party inclusions, to prevent abuse of the main site.