Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Low findings>Lack of sufficient claim-parameter validation
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)
Low (6)XSS via ignored content-disposition headerAddress bar not updated before page loadImproper TLS certificate parsingImproper host validation in QR-code proof requestProduction credentials in Git source repositoriesLack of sufficient claim-parameter validation
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Lack of sufficient claim-parameter validation

Low Severity
Low Impact
High Likelihood

Description

The witness SDK HTTP provider does not strictly validate the claim parameters in a number of ways. These include the following:

  • The scheme of the url parameter is not validated and is assumed to be https. Thus, a Reclaim node may sign incorrect claims for other schemes, such as http or file.

  • The responseMatches[*].type parameter is not validated to be either contains or regex. Thus, a Reclaim node may sign a claim with an invalid responseMatches[*].type value.

  • Additional, unknown properties are allowed in parameter signatures. If Reclaim ever adds additional properties, previously signed claims may be incorrect.

Impact

An attacker may receive signed claims that appear to be invalid and have not been properly checked.

Recommendations

Reclaim should strictly validate all claim parameters using a JSON schema or other validation system to ensure that nodes do not sign invalid claims that may become valid in the future.

Remediation

Zellic © 2025Back to top ↑