Web3 projects often focus heavily on blockchain security while neglecting traditional web security vulnerabilities in their supporting infrastructure. Despite the promise of decentralization, many Web3 applications rely on centralized components that remain susceptible to classic Web2 attacks. This research examines two critical Web2 vulnerabilities in Web3 contexts-Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS)-providing practical insights, demonstration labs, and remediation strategies to improve security across the ecosystem.
The blockchain industry has witnessed numerous security breaches originating not from flawed smart contracts but from vulnerable Web2 infrastructure. A notable example occurred when time.fun was ethically hacked through its Web2 components. White hat hackers shouccc and tonykebot exploited a vulnerability in the platform's backend infrastructure-specifically a component that eagerly signed transactions on Solana-allowing them to drain all funds controlled by the internal wallet8. Fortunately, all funds were returned, but this incident clearly demonstrates how Web2 security flaws can compromise Web3 assets.
Another significant case involved a universal cross-site scripting vulnerability discovered in Netlify's Next.js library. This vulnerability, reported in August 2022, affected numerous high-traffic Web3 websites, including Gemini, PancakeSwap, Docusign, Moonpay, and Celo5. The flaw would allow attackers to achieve "persistent cross-site scripting and full-response server side request forgery on any website out of the box," potentially compromising user wallets and transaction integrity5.
In early 2025, the 1inch protocol and several market makers experienced a compromise resulting in approximately $5 million in losses8. While this attack didn't follow the traditional smart contract exploitation pattern, it resembled a memory corruption vulnerability triggered by a carefully crafted transaction payload.
According to Immunefi's research, more than 60% of all Web3 exploits in 2023 targeted off-chain systems15. This alarming statistic reveals a fundamental truth: while billions are invested in auditing smart contracts, the centralized Web2 components connecting users to blockchains often remain neglected security blind spots.
As security researcher Antonio Spataro noted, "It is really absurd to think that a decentralized system, but one that uses non-decentralized web2 infrastructures, cannot be hacked from the surface"6. This disconnect creates a dangerous blind spot in the industry's security thinking.
In the security incident categorization proposed by ChainLight, "Web2 Exploit" is specifically identified as "the case where the exploits on project's web2 components lead to the loss of control for major components"7. This recognition highlights the growing awareness of this attack vector in the security community.
Server-Side Request Forgery (SSRF) is a dangerous web vulnerability that allows attackers to induce a server to make unauthorized requests to internal resources or external systems3. In an SSRF attack, the attacker manipulates a server into sending requests to addresses of the attacker's choosing, potentially accessing systems that should be inaccessible from the outside.
As described by PortSwigger Web Security: "In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials"14.
In Web3 applications, SSRF vulnerabilities can be particularly devastating due to the presence of sensitive internal services that interact directly with blockchain networks. These might include: