Shopify: XSS on

ID H1:123125
Type hackerone
Reporter virtualhunter
Modified 2016-04-09T00:03:05


This is stored vulnerability for all your users, not only registered or signed in.

Vulnerable parameter: properties[builder_id] at * The vulnerability is in array levels. When you try something like properties[builder_id][second_parameter]=value, you will see many corrupted tags in HTML because 2-level array will return as "builder_id":{"second_parameter ":"value"} instead of "builder_id":"shapp_options_421549285_1455208671885" in cart.js

So you could inject your code in tr,div,a,insert tags. All you need - is redirect a victim to special url. For example, you cold try this: properties[builder_id][%20onmouseover%3dalert(1)%20]=value Script will strike when victim will move a coursor over product.

Here is a link with your cookies in a harware store for example:[cart_exists]=true&properties[builder_id][%20onmouseover%3dalert(document.cookie)%20]=shapp_options_421549285_1455208671885&properties[master_builder][]=1&properties[test]=test&properties[value]=11&add

I recommend you to check incoming parameters for arrays like here: