Shopify: Stored XSS in [shop][id]

ID H1:214044
Type hackerone
Reporter zombiehelp54
Modified 2017-03-28T21:01:59


Hi, I have found a stored XSS vulnerability in [shop][id] in conversion details links, it's the same as #55842 but this one is through landing page URL not the referrer.

Steps to reproduce: 1. Navigate to [shop] 2. Modify _landing_page cookie value to javascript:alert(1) {F169421} 3. Add a product to your cart then complete the checkout process. 4. Login with an admin account then navigate to [shop][id] and click the link for The first page they visited and alert(1) will be executed. {F169422}

Impact: This is a customer-to-admin XSS, so an attacker can target admins to do malicious actions such as fetching the CSRF token and using it to submit a request to add himself as an admin to takeover the store.