Wormable Cross-Site Scripting in Rarible's NFT Marketplace

In April 2022, researchers uncovered a wormable stored XSS vulnerability on rarible.com, one of the largest NFT marketplaces. The flaw allowed attackers to persistently inject malicious JavaScript into profile pages, bypassing Cloudflare's WAF and enabling large-scale wallet compromises. This case illustrates the critical intersection of Web3 applications, traditional web vulnerabilities, and the unique risks of decentralized ecosystems.

Key Terms Explained:
XSS (Cross-Site Scripting): A web vulnerability where malicious scripts are injected into trusted websites, executing in users' browsers.
NFT Marketplace: A platform where users can buy, sell, and trade Non-Fungible Tokens - unique digital assets stored on blockchain.
WAF (Web Application Firewall): A security system that filters and monitors HTTP traffic to protect web applications from attacks.
Wallet Compromise: Unauthorized access to cryptocurrency wallets, potentially leading to theft of digital assets.

Summary

On April 14th, 2022, a vulnerability was discovered in Rarible's profile image functionality. Attackers could inject arbitrary HTML and JavaScript that would persist across the site as the victim navigated. This meant that once a victim viewed a malicious profile, the payload could follow them throughout the marketplace—intercepting smart contract interactions, modifying metadata, and even spreading autonomously like a worm.

Smart Contract Interactions: When users interact with blockchain programs (smart contracts) through web interfaces, typically involving transactions like buying NFTs, approving token transfers, or minting new tokens. These interactions require wallet signatures and are irreversible once confirmed on the blockchain.

The Rarible team patched the vulnerability in under two hours after disclosure, preventing exploitation in the wild. However, the impact—had it been weaponized—could have resulted in widespread theft of cryptocurrency and NFTs from the platform's extensive user base.

Understanding the Web3 Context

Web3 applications represent a new paradigm where traditional web interfaces connect users to blockchain networks. Unlike Web2 applications where data is stored on centralized servers, Web3 platforms interact with decentralized protocols where users maintain custody of their digital assets through cryptocurrency wallets.

Web3 Security Challenges:
Irreversible Transactions: Blockchain transactions cannot be undone, making theft permanent.
Wallet Custody: Users control their own private keys, making them responsible for security.
Bridge Vulnerabilities: Web interfaces act as bridges between users and smart contracts, creating attack vectors.
High-Value Targets: NFT collections and DeFi protocols often hold millions in digital assets.

Learn More About Web3 Security Consulting →

Key Risks

Platform scale: Rarible has over 2 million users and more than $250M in trading volume, magnifying potential harm across a massive user base.
Stored XSS worm: Payloads persisted in victim profiles, enabling self-propagation across the marketplace through social interactions.
Smart contract manipulation: Attackers could alter recipient addresses, prices, or grant token approvals silently during legitimate transactions.
Trusted domain exploitation: Malicious code executed from the official rarible.com domain, making detection nearly impossible for end-users and bypassing browser security warnings.

Token Approvals: A blockchain mechanism that allows smart contracts to spend tokens on behalf of users. Malicious approvals can grant attackers unlimited access to a user's token balance, enabling future theft even after the initial attack.

Technical Details

The flaw stemmed from improper sanitization of the photo parameter in Rarible's user profile API. The vulnerability occurred in the backend service responsible for updating user profiles, where input validation was insufficient to prevent HTML injection.

Attackers could send a crafted request such as:

POST /marketplace/api/v4/users/WALLET_ADDRESS HTTP/2
Host: api-mainnet.rarible.com
Content-Type: application/json
Authorization: Bearer JWT_TOKEN
...
{
  "signature": "WALLET_SIGNATURE",
  "publicKey": "WALLET_ADDRESS", 
  "photo": "<iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=></iframe>"
}

While Cloudflare's WAF blocked simple payloads like <script>alert('xss')</script>, researchers bypassed it using a base64-encoded iframe injection. This technique works because:

The WAF examines the raw request, seeing only base64-encoded data
The browser decodes the base64 and executes the hidden JavaScript
Data URLs allow embedding complete HTML documents within iframes

Because Rarible's site uses client-side rendering (React/JavaScript framework), the malicious payload persisted across page transitions without requiring full page reloads, enabling worm-like behavior where infected profiles could spread the attack to other users.

Client-Side Rendering (CSR): A web architecture where the browser downloads a JavaScript application that dynamically generates page content. Unlike traditional server-side rendering, CSR apps maintain state between page changes, which can cause injected scripts to persist longer.

Secure your cryptocurrency investments with professional mining equipment. Buy Bitcoin Miners including Hosting from trusted suppliers.

Visit millionminer.com →

Attack Vector Analysis

Worm Propagation Mechanism

The wormable nature of this XSS vulnerability created a uniquely dangerous attack vector:

Initial Infection: Attacker creates malicious profile with XSS payload
Victim Browsing: User visits infected profile, payload executes in their browser
Profile Modification: Malicious script updates victim's profile with the same payload
Viral Spread: Victim's followers and marketplace browsers become infected
Exponential Growth: Each infected user becomes a vector for further spread

Web3-Specific Attack Scenarios

Unlike traditional XSS attacks, this vulnerability could have been weaponized to target blockchain-specific functionalities:

MetaMask Manipulation: Injected scripts could modify transaction parameters before users sign them
Phishing Integration: Fake wallet connection prompts could harvest private keys or seed phrases
Contract Interaction Hijacking: Legitimate NFT purchases could be redirected to attacker-controlled addresses
Gas Fee Manipulation: Transaction fees could be inflated, with excess sent to attacker wallets

Impact Scenarios

Wallet takeover: Victims could be prompted to unknowingly approve unlimited ERC-20 token transfers via manipulated MetaMask popups, granting attackers access to entire token balances.
Fake listings: Prices of popular NFTs (e.g., Bored Ape Yacht Club, CryptoPunks) could be altered client-side to bait purchases at inflated rates, with funds redirected to attacker wallets.
Profile hijacking: Once a signed-in victim viewed a malicious profile, their authentication tokens could be stolen and their account auto-infected, spreading the worm through their social network.
Brand abuse: Verified collections could have been spoofed with fake verification badges, eroding trust in the marketplace and potentially damaging artist reputations.
Market manipulation: Coordinated attacks could create artificial demand or panic selling by displaying false floor prices or trading volumes.

ERC-20 Tokens: A technical standard for fungible tokens on Ethereum, including popular cryptocurrencies like USDC, USDT, and thousands of other tokens. Token approvals allow smart contracts to spend these tokens on a user's behalf.

Why This Matters for Web3

Unlike traditional XSS, which may lead to data theft or account compromise, XSS in Web3 environments intersects with real financial assets stored on immutable blockchains. A single malicious payload could:

Directly drain wallets through malicious transaction approvals
Manipulate DeFi protocol interactions for financial gain
Alter immutable smart contract interactions with permanent consequences
Compromise private keys or seed phrases through sophisticated phishing
Exploit multi-signature wallets by tricking co-signers

DeFi Protocol: Decentralized Finance applications that provide financial services (lending, borrowing, trading) through smart contracts rather than traditional banks.
Private Keys/Seed Phrases: Cryptographic credentials that control cryptocurrency wallets. Compromise of these credentials results in permanent loss of funds.
Multi-Signature Wallets: Wallets requiring multiple parties to approve transactions, commonly used by organizations and DAOs.

This vulnerability demonstrates the urgent need for comprehensive security audits, advanced WAF evasion testing, and robust bug bounty incentives in decentralized platforms. As the NFT and DeFi markets mature, attackers increasingly target the critical interfaces that bridge Web2 user experiences with Web3 infrastructure.

Blockchain Security Implications

The intersection of traditional web vulnerabilities with blockchain technology creates unique risks:

Immutable Transactions: Once malicious transactions are confirmed on-chain, they cannot be reversed
Pseudonymous Attacks: Blockchain addresses provide some anonymity, making attribution difficult
Cross-Chain Risks: Modern NFT platforms support multiple blockchains, multiplying attack surfaces
Governance Token Manipulation: Attackers could influence DAO voting by compromising token holders

Disclosure Timeline

04/14/22 20:40 GMT-5 – Vulnerability disclosed to Rarible security team via Bugcrowd platform.
04/14/22 21:15 GMT-5 – Rarible acknowledges receipt and begins investigation.
04/14/22 22:30 GMT-5 – Patch deployed by Rarible development team across all production servers.
04/14/22 23:00 GMT-5 – Fix confirmed by researchers through independent testing.
04/16/22 – $5,000 bounty awarded via Bugcrowd responsible disclosure program.
04/18/22 – Additional security measures implemented, including enhanced input validation.

The rapid fix highlights effective incident response but also underscores the critical nature of Web3 security windows. During the ~2-hour exposure window, millions in digital assets were potentially at risk across Rarible's user base.

Lessons Learned

Wormable XSS: Stored XSS in social platforms can create self-propagating threats that spread exponentially through user interactions.
Web3 Surface Area: Blockchain security requires defending not just smart contracts, but also the entire stack of web interfaces, APIs, and integration points.
WAF Limitations: Modern security filters can be bypassed through encoding techniques, demanding comprehensive input validation at the application layer.
Client-Side Risks: Single-page applications and client-side rendering can cause injected payloads to persist longer than traditional server-rendered applications.
Economic Incentives: Bug bounty programs and responsible disclosure channels are essential for incentivizing security research in high-stakes financial environments.
Rapid Response: The financial nature of Web3 applications requires incident response capabilities that can deploy fixes within hours, not days.

Prevention and Mitigation Strategies

For Web3 Developers

Content Security Policy (CSP): Implement strict CSP headers to prevent inline script execution
Input Sanitization: Use libraries like DOMPurify for robust HTML sanitization
Output Encoding: Properly encode all user-generated content before rendering
Security Audits: Regular penetration testing focusing on Web3-specific attack vectors
Multi-Layer Defense: Combine WAF, application-level validation, and client-side protection

For Users

Transaction Verification: Always verify recipient addresses and amounts before signing
Hardware Wallets: Use hardware wallets for high-value transactions
Browser Security: Keep browsers updated and consider using dedicated browsers for crypto activities
Suspicious Activity: Report unusual behavior or unexpected transaction prompts immediately