[Disclosure] DOM-based XSS on BadApe NFT website

Recently, one of our wizards came across BadApe NFT. The BadApe NFT project is a collection of 10,000 bad apes with proof of ownership stored on the Binance Smart Chain. Their collections look cool, however, our team members are not into cryptocurrency and NFT. Most importantly they are founded by local NFT enthusiasts and have been supported by a few famous figures such as Soloz and Joe Flizzow

While looking at their roadmap, contributions to the NFT community and other news, we noted that they have their Vulnerability Disclosure programme as stated here https://badape.io/vulnerability-disclosure-program/

We thought, “hah!..this is interesting”. Since this is our first time to see a Malaysian-based company having a vulnerability disclosure program! This shows that they are concerned about the security of their assets and want them to be properly secured.

Since we were just finished with our internal penetration testing engagement at that time, we spent some time testing their website.

We started with a domain enumeration using Subfinder by ProjectDiscovery. We found the following subdomains:

www.badape.io
store.badape.io
dimension.badape.io
staging.badape.io
hub.badape.io
ftp.badape.io

We then further investigate the technologies used by these websites using httpx and found that most of them are fronted by Cloudflare. We picked their main website, https://badape.io as at the time of the testing, we observed this website was run on an outdated WordPress version.

We ran WPScan to determine if any outdated plugin is in use. What a stroke of luck (for us), the scan showed that one of the plugins, Elementor was outdated and vulnerable to a DOM-based XSS.

Checking on available proof-of-concept, we learnt that this plugin is vulnerable because the following endpoint
#elementor-action:action=lightbox&settings=
will take base64 encoded JSON input and decode it, insecurely, to the users.

Thus, by crafting a simple payload such as:

{
"type":"null",
"html":"<script>alert('xss')</script>"
}

and encoded them to base64 format was sufficient enough to trigger an alert box as a POC.

https://badape.io/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9

We submitted the report and BadApe NFT team immediately responded to our email and mitigate the issue.

References:

• https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor
• https://www.jbelamor.com/xss-elementor-lightox.html

Timeline:

• 20 June 2022: Discovered DOM-based XSS and reported to BadApe NFT team via [email protected]
• 20 June 2022: Their team replied to us and informed a timeline to fix it.
• 23 June 2022: BadApe NFT replied and told us the issue has been fixed and asked us to confirm.
• 23 June 2022: REHACK confirmed the fix.
• 24 June 2022: Disclosure

Read More