Shopify: Stored XSS in https://checkout.shopify.com/

2016-03-13T18:26:01
ID H1:122849
Type hackerone
Reporter niyaax
Modified 2016-03-15T22:32:20

Description

STEPS TO REPRODUCE

  1. Go to http://hardware.shopify.com/products/custom-gift-card?variant=976094353 and Design your own gift card.
  2. Change file type to url on the upload field.
  3. Add the payload javascript:alert(document.domain);//https://cdn.shopify.com/s/files/1/0224/0965/uploads/1fc1042c960abdb2f35c0950900a7b2c.svg
  4. Then add the item to the cart and go to checkout.
  5. On the checkout page click the Artwork File and the XSS will trigger.