Shopify: HTTP-Response-Splitting on

ID H1:106427
Type hackerone
Reporter krankopwnz
Modified 2016-01-17T19:20:36


I discovered a HTTP-Response-Splitting issue on

Steps to reproduce: Call the following URL in any browser and catch the response ( e.g. with burp )<html>deface</html>

When you look at screenshot 1 in attachments, you can see that the response contains 2 headers.

According to OWASP, this could be used for " Cross-User Defacement, Cache Poisoning, Cross-site Scripting (XSS) and Page Hijacking." ( )

You could convince victims via social engineering to click the provided link, which can contain a cloned login-page of shopify for example. If he sits behind a proxy, which caches the responses the following users will see your evil login-page when calling that address.

A fix would be to disallow line-breaks and any non printable characters in the "shop"-parameter