BOOK THIS SPACE FOR AD
ARTICLE ADXSS stands for Cross Site Scripting. It is a vulnerability in web application where the attacker injects a malicious payload into the code of a website to gather valuable information of the victim or to lure the victim to take different action.
Same Origin Policy (SOP) is a security mechanism where the browser prevents scripts to run from origin X to access the data with origin Y. Cross Site Scripting abuses this functionality to gain information of the victim and exploits it to steal sensitive information, perform unauthorized actions on behalf of users or hijack user sessions. On worse cases, it could also lead to Cross Site request forgery (CSRF) and data breaches.
Three steps are included in XSS attack.
Step 1: The attacker injects malicious code into the vulnerable website.
Step 2: The victim logs into the application. As soon as the victim logs into the application, the malicious code is triggered.
Step 3: As soon as the code is executed, sensitive information is sent to the attacker who can impersonate the victim.
What will you need to look for to find XSS?
You will need a parameter in the application where you can inject malicious code into the application.
So what was the vulnerable parameter in the Shopify application? It was returnTo parameter URL on help.shopify.com/en/support/confirm-account-details while trying to sign up for the account. So you’ll need an unverified account in order to perform the attack.