XSS in Universal Studios Singapore’s website

Vulnerabilities in a web game

Universal Studios Singapore (USS) decided to hold a game contest for their annual Halloween Horror Nights (HHN). Basically, players had to collect ‘coins’ in a game that somewhat resembles Temple Run.

Definitely not Temple Run

Well, after you ‘die’ you get to submit your score to the leaderboard and the top 4 contestants get free tickets.

How the leaderboard looks like

In my previous semester, I learnt about Cross-Site Scripting (XSS) and how it comes in two forms, Reflected & Persistent. Reflected is where the attack only affects the user who implemented the Attack while Persistent stores the attack on the webpage and would affect any user who visits the affected webpage.

So I tried my luck by hoping Persistent XSS would work.

Honestly, I thought that it wouldn’t work as well established websites always secure themselves against XSS & SQL Injections since these attacks are so common. I submitted my score with the name ‘Vulnerability’, enclosing it in h1 tags.

Score submission page

Aaaand I got lucky :)

XSS vulnerability

Since this was a pretty serious vulnerability, an email was sent to USS.

Email notifying them about the vulnerability

It had been 3 days and I hadn’t gotten a reply from them. So I went ahead to check if the vulnerability was patched. I tried submitting the same name as mentioned above and when it was displayed back to me from the leaderboard, the tags were removed. From what I could infer, their solution probably involved the server performing HTML sanitization on the name. Guess the vulnerability was fixed :).

No more XSS :(

Would have been nice to get some free tickets though :(