Shopify: Cache poisoning via X-Forwarded-Host in

ID H1:977851
Type hackerone
Reporter dakitu
Modified 2020-09-11T17:03:05


Hello, run in loop requests withX-Forwarded-Host: - after some time You will notice in response


now remove X-Forwarded-Host - there still be our url:


i've logged to my VPS to verify this bug and downloaded poisoned page ( , it's contains links to collabolator:



Looks like there is no URL keys so i stopped testing cause i'm breaking site functionally, but it was be worth to check if we can poison X-Forwarded-Host :"><img src=x onerror=blah> or try use other headers, if i get permission i can try other vectors on a older article to prevent distributing users.


poisoning links, eg. FB share button: