Shopify: Reflective XSS on wholesale.shopify.com

2015-12-21T10:15:55
ID H1:106293
Type hackerone
Reporter krankopwnz
Modified 2015-12-21T23:26:59

Description

There is a reflected XSS issue on wholesale.shopify.com

Steps to reproduce: Call the following URL in Mozilla Firefox: https://wholesale.shopify.com/asd%27%3Balert%28%27XSS%27%29%3B%27

An alert box with "XSS" appears. This means that an attacker has full control of the scripts, that are executed in the victims browser.

An attack vector would be sending an evil link via e-mail, messenger, etc. As the victim trusts the domain wholesale.shopify.com, it will click the link and could be redirected to a site hosting a browser exploit kit. This abuses the trust of shopify.com

The main problem with that XSS is, that in script context the quotes, double quotes and ">" + "<" are not encoded at all.

I suggest to convert them either to hex values or escape them.