Shopify: Reflective XSS on

ID H1:106293
Type hackerone
Reporter krankopwnz
Modified 2015-12-21T23:26:59


There is a reflected XSS issue on

Steps to reproduce: Call the following URL in Mozilla Firefox:

An alert box with "XSS" appears. This means that an attacker has full control of the scripts, that are executed in the victims browser.

An attack vector would be sending an evil link via e-mail, messenger, etc. As the victim trusts the domain, it will click the link and could be redirected to a site hosting a browser exploit kit. This abuses the trust of

The main problem with that XSS is, that in script context the quotes, double quotes and ">" + "<" are not encoded at all.

I suggest to convert them either to hex values or escape them.