XSS in Universal Studios Singapore’s website
Vulnerabilities in a web game
Universal Studios Singapore (USS) decided to hold a game contest for their annual Halloween Horror Nights (HHN). Basically, players had to collect ‘coins’ in a game that somewhat resembles Temple Run.
Well, after you ‘die’ you get to submit your score to the leaderboard and the top 4 contestants get free tickets.
In my previous semester, I learnt about Cross-Site Scripting (XSS) and how it comes in two forms, Reflected & Persistent. Reflected is where the attack only affects the user who implemented the Attack while Persistent stores the attack on the webpage and would affect any user who visits the affected webpage.
So I tried my luck by hoping Persistent XSS would work.
Honestly, I thought that it wouldn’t work as well established websites always secure themselves against XSS & SQL Injections since these attacks are so common. I submitted my score with the name ‘Vulnerability’, enclosing it in h1 tags.
Aaaand I got lucky :)
Since this was a pretty serious vulnerability, an email was sent to USS.
It had been 3 days and I hadn’t gotten a reply from them. So I went ahead to check if the vulnerability was patched. I tried submitting the same name as mentioned above and when it was displayed back to me from the leaderboard, the tags were removed. From what I could infer, their solution probably involved the server performing HTML sanitization on the name. Guess the vulnerability was fixed :).
Would have been nice to get some free tickets though :(