Shopify: XSS on

ID H1:56779
Type hackerone
Reporter r0x33d
Modified 2015-09-06T20:25:01


Hello! I would like to report about XSS on domain.

Here is a PoC that gives You alert box with "123" content:

This Ecommerce Store Grader Tool gives You a list of sources of image tags that should have "alt" attribute on tested website (screenshot "where.png"). So, on Your website ( in my case), You can create <img> tag with the "src" attribute value "111<img src=1 onerror=alert(123)>". Then put link to Your website to this Grader Tool and after that it will show You error block "Some of the images on your homepage are missing ALT tags." which will contain Your <img> tag "src" attribute with embed <img> tag there.

You can see full example of source on

Generally, this vulnerability exists because of no filtering in shown "src" attributes.