Wormable Cross-Site Scripting in Rarible's NFT Marketplace

In April 2022, researchers uncovered a wormable stored XSS vulnerability on rarible.com, one of the largest NFT marketplaces. The flaw allowed attackers to persistently inject malicious JavaScript into profile pages, bypassing Cloudflare's WAF and enabling large-scale wallet compromises. This case illustrates the critical intersection of Web3 applications, traditional web vulnerabilities, and the unique risks of decentralized ecosystems.

Key Terms Explained:
XSS (Cross-Site Scripting): A web vulnerability where malicious scripts are injected into trusted websites, executing in users' browsers.
NFT Marketplace: A platform where users can buy, sell, and trade Non-Fungible Tokens - unique digital assets stored on blockchain.
WAF (Web Application Firewall): A security system that filters and monitors HTTP traffic to protect web applications from attacks.
Wallet Compromise: Unauthorized access to cryptocurrency wallets, potentially leading to theft of digital assets.

Summary

On April 14th, 2022, a vulnerability was discovered in Rarible's profile image functionality. Attackers could inject arbitrary HTML and JavaScript that would persist across the site as the victim navigated. This meant that once a victim viewed a malicious profile, the payload could follow them throughout the marketplace—intercepting smart contract interactions, modifying metadata, and even spreading autonomously like a worm.

Smart Contract Interactions: When users interact with blockchain programs (smart contracts) through web interfaces, typically involving transactions like buying NFTs, approving token transfers, or minting new tokens. These interactions require wallet signatures and are irreversible once confirmed on the blockchain.

The Rarible team patched the vulnerability in under two hours after disclosure, preventing exploitation in the wild. However, the impact—had it been weaponized—could have resulted in widespread theft of cryptocurrency and NFTs from the platform's extensive user base.

Understanding the Web3 Context

Web3 applications represent a new paradigm where traditional web interfaces connect users to blockchain networks. Unlike Web2 applications where data is stored on centralized servers, Web3 platforms interact with decentralized protocols where users maintain custody of their digital assets through cryptocurrency wallets.

Web3 Security Challenges:
Irreversible Transactions: Blockchain transactions cannot be undone, making theft permanent.
Wallet Custody: Users control their own private keys, making them responsible for security.
Bridge Vulnerabilities: Web interfaces act as bridges between users and smart contracts, creating attack vectors.
High-Value Targets: NFT collections and DeFi protocols often hold millions in digital assets.
Learn More About Web3 Security Consulting →

Key Risks

Token Approvals: A blockchain mechanism that allows smart contracts to spend tokens on behalf of users. Malicious approvals can grant attackers unlimited access to a user's token balance, enabling future theft even after the initial attack.

Technical Details

The flaw stemmed from improper sanitization of the photo parameter in Rarible's user profile API. The vulnerability occurred in the backend service responsible for updating user profiles, where input validation was insufficient to prevent HTML injection.

Attackers could send a crafted request such as:

POST /marketplace/api/v4/users/WALLET_ADDRESS HTTP/2
Host: api-mainnet.rarible.com
Content-Type: application/json
Authorization: Bearer JWT_TOKEN
...
{
  "signature": "WALLET_SIGNATURE",
  "publicKey": "WALLET_ADDRESS", 
  "photo": "<iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=></iframe>"
}

While Cloudflare's WAF blocked simple payloads like <script>alert('xss')</script>, researchers bypassed it using a base64-encoded iframe injection. This technique works because:

Because Rarible's site uses client-side rendering (React/JavaScript framework), the malicious payload persisted across page transitions without requiring full page reloads, enabling worm-like behavior where infected profiles could spread the attack to other users.

Client-Side Rendering (CSR): A web architecture where the browser downloads a JavaScript application that dynamically generates page content. Unlike traditional server-side rendering, CSR apps maintain state between page changes, which can cause injected scripts to persist longer.

Attack Vector Analysis

Worm Propagation Mechanism

The wormable nature of this XSS vulnerability created a uniquely dangerous attack vector:

Web3-Specific Attack Scenarios

Unlike traditional XSS attacks, this vulnerability could have been weaponized to target blockchain-specific functionalities:

Impact Scenarios

ERC-20 Tokens: A technical standard for fungible tokens on Ethereum, including popular cryptocurrencies like USDC, USDT, and thousands of other tokens. Token approvals allow smart contracts to spend these tokens on a user's behalf.

Why This Matters for Web3

Unlike traditional XSS, which may lead to data theft or account compromise, XSS in Web3 environments intersects with real financial assets stored on immutable blockchains. A single malicious payload could:

DeFi Protocol: Decentralized Finance applications that provide financial services (lending, borrowing, trading) through smart contracts rather than traditional banks.
Private Keys/Seed Phrases: Cryptographic credentials that control cryptocurrency wallets. Compromise of these credentials results in permanent loss of funds.
Multi-Signature Wallets: Wallets requiring multiple parties to approve transactions, commonly used by organizations and DAOs.

This vulnerability demonstrates the urgent need for comprehensive security audits, advanced WAF evasion testing, and robust bug bounty incentives in decentralized platforms. As the NFT and DeFi markets mature, attackers increasingly target the critical interfaces that bridge Web2 user experiences with Web3 infrastructure.

Blockchain Security Implications

The intersection of traditional web vulnerabilities with blockchain technology creates unique risks:

Disclosure Timeline

The rapid fix highlights effective incident response but also underscores the critical nature of Web3 security windows. During the ~2-hour exposure window, millions in digital assets were potentially at risk across Rarible's user base.

Lessons Learned

Prevention and Mitigation Strategies

For Web3 Developers

For Users