Bug Bounty Reports in Thread ๐งต
#bugbounty #infosec
Bug Type : Reflected XSS
Org : Shopify
Bounty : $2000
Read For More ๐งต:๐
#bugbounty #infosec
Bug Type : Reflected XSS
Org : Shopify
Bounty : $2000
Read For More ๐งต:๐
Summary : This is a reflected XSS that could be triggered on the storefront of any Shopify store
because of template was missing proper escaping for the theme_handle parameter.
because of template was missing proper escaping for the theme_handle parameter.
This issue is severe because it could be exploited by unauthenticated users to attack the admin area of a store,
given that the storefront is hosted on the same origin as the admin area of a store.
given that the storefront is hosted on the same origin as the admin area of a store.
Steps :
1. Navigate to <account>.myshopify.com
2. View the source of the page and copy the value of Shopify.theme Id.
1. Navigate to <account>.myshopify.com
2. View the source of the page and copy the value of Shopify.theme Id.
3. Navigate to https://echo .myshopify.com/?theme_handle=xx%27-alert(document.cookie)-%27&style_id=1&style_handle=1&preview_theme_id=<theme_ID>
replace <theme_ID> with the ID you just copied.
replace <theme_ID> with the ID you just copied.
4. XSS will trigger in all of the online shop pages unless you click Cancel theme preview .
POC like : PoC:
https://test .myshopify.com/?theme_handle=xx%27-alert(document.cookie)-%27&style_id=1&style_handle=1&preview_theme_id=3572
POC like : PoC:
https://test .myshopify.com/?theme_handle=xx%27-alert(document.cookie)-%27&style_id=1&style_handle=1&preview_theme_id=3572
Loading suggestions...