logo
DATABASE RESOURCES PRICING ABOUT US

Shopify: HTML injection in https://interviewing.shopify.com/index.php?candidate=

Description

`https://interviewing.shopify.com/index.php?candidate=` is inserting the value of `candidate` into the DOM without any filtering (except that the equal sign can't appear in the payload), this allows attacker to injection any html in the DOM. Of course reflected XSS payloads like `<script>[...something...]</script>` will be blocked by browsers' protection, but we can still play with CSS injection: `https://interviewing.shopify.com/index.php?candidate=z%3Cstyle%3E%20*%20{%20background:%20url(https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png);%20}` {F503108} ## Impact HTML injection, mostly CSS injection.