Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Reclaim Protocol>Medium findings>Lack of TLS ALPN validation
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)Cross-site scripting via `postMessage`Address bar not updated after failed navigationCallback address bar not updated after navigationLack of WebView `postMessage` origin validationLack of TLS ALPN validation
Low (6)
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Lack of TLS ALPN validation

Medium Impact
Medium Severity
Medium Likelihood

Description

The Reclaim node does not validate the Application-Layer Protocol Negotiation (ALPN) extension in the server's ServerHello message. TLS clients and servers use this field to determine what protocol (for example, HTTP/1.1 or HTTP/2) to use.

This value should be validated in tls/src/make-tls-client.ts:

async function processRecord(
  // ...
) {
  // ...
  const hello = await parseServerHello(content)

Impact

If the Reclaim node does not validate the ALPN field, an attacker may be able to use a protocol other than HTTP/1.1, leading to parsing errors or other vulnerabilities.

Recommendations

The Reclaim node should validate the ALPN field in the ServerHello message.

Remediation

Zellic © 2025Back to top ↑