After we noted about a vulnerability disclosure program from BadApe NFT website (see http://blog.rehack.xyz/2022/06/disclosure-dom-based-xss-on-badape-nft.html), our team decided to poke around and see if there is any other Malaysian-based company that has the similar program on it.
We found one :). While they have a vulnerability disclosure program, further a discussion with them, they agreed for us to publish this article but without mentioning their name. Fair enough.
By simply browsing their website, we noted an obvious Reflected XSS and one DOM-Based XSS.
DOM-Based XSS
The DOM-Based XSS was interesting. The injection point was only detected when the URL included with a page parameter. Without this parameter, the value will not be reflected in the DOM. We used Untrusted-Types Devtools plugin by @filedescriptor to detect this.
This was too straightforward. By inserting the XSS payload, the XSS was successfully executed.
Reflected XSS
The reflected XSS was also found on an obvious location. The page parameter on a different endpoint from the above was insufficiently sanitise the user input, thus it was possible for us to insert our XSS payload such as '"><img src=x onerror=alert(document.domain)>
We notified their security team and they immediately mitigated the issue. Once our team received their reply stating that the fix was done, we casually verified the fix and noted that it can be bypassed.
The initial fix was to allow page parameter to only accepted up to 4 characters. More than that will redirect us to a 404 error page. We were able to bypass that via Parameter Pollution technique, where the second page parameter appended on the request was still accepted and reflected in the response body. Thus, this allowed us to include the XSS payload again and successfully bypassed the initial fix.
Again, our team was happy with the quick response and their commitment to security. They immediately reviewed and corrected the problem. We reviewed and confirmed the fix was correctly implemented this time.
Thank you to their security team, and we hope more companies in Malaysia will accept vulnerability disclosures from outsiders.