Shopify: POST-based XSS on

ID H1:429679
Type hackerone
Reporter ruvlol
Modified 2019-03-14T10:50:42


Hello Shopify team! I found a post-based XSS which may be shared to other users and occurs in firefox, IE, Edge.

How to reproduce: 1. at go to apps -> choose one -> more actions -> create shopify app store listing 2. you will get redirected to url with ?signature parameter. Full copy whole URL. 3. as App name specify </script><svg onload=alert()> 4. in incognito tab open URL copied in step 2 5. click Preview changes

How to fix:

Sanitize parameters which are getting inserted in <script> tag.


POST-based XSS in firefox/ie/edge. probably safari too