$500 Bounty on Reflected XSS on Shopify

9 months ago 54
BOOK THIS SPACE FOR AD
ARTICLE AD

Cyberbeat

Bug-Bounty Writeups

XSS stands for Cross Site Scripting. It is a vulnerability in web application where the attacker injects a malicious payload into the code of a website to gather valuable information of the victim or to lure the victim to take different action.

Same Origin Policy (SOP) is a security mechanism where the browser prevents scripts to run from origin X to access the data with origin Y. Cross Site Scripting abuses this functionality to gain information of the victim and exploits it to steal sensitive information, perform unauthorized actions on behalf of users or hijack user sessions. On worse cases, it could also lead to Cross Site request forgery (CSRF) and data breaches.

Three steps are included in XSS attack.

Step 1: The attacker injects malicious code into the vulnerable website.

Step 2: The victim logs into the application. As soon as the victim logs into the application, the malicious code is triggered.

Step 3: As soon as the code is executed, sensitive information is sent to the attacker who can impersonate the victim.

What will you need to look for to find XSS?

You will need a parameter in the application where you can inject malicious code into the application.

So what was the vulnerable parameter in the Shopify application? It was returnTo parameter URL on help.shopify.com/en/support/confirm-account-details while trying to sign up for the account. So you’ll need an unverified account in order to perform the attack.

What were the steps?

Open the link and change it to https://help.shopify.com/en/support/confirm-account-details?returnTo=javascript:alert(document.cookie)It will prompt a login page. Log in to the application.Press the back button to…
Read Entire Article