Shopify: Reverse Proxy misroute leading to steal X-Shopify-Access-Token header

2018-10-27T10:16:39
ID H1:429617
Type hackerone
Reporter ruvlol
Modified 2019-03-14T10:50:35

Description

Hello Shopify team! I found out that on /admin/api/graphql endpoint server fetches content of Host header value (${HTTP_Host} + /admin/api/graphql). If my own host was sent to server, request comes from ██████████or ██████████ (your google cloud cluster). Also I can grab all reverse proxy headers including X-Shopify-Access-Token.

example of such request in base64:

███

Also it returns response your server got on ${HTTP_Host} + /admin/api/graphql address

How to reproduce: 1. POST /admin/api/graphql with Host pointing to external website 2. As external website owner grab incoming headers.

Impact

SSRF, X-Shopify-Access-Token leakage