Shopify reflected XSS

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 20 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

A reflected XSS vulnerability was discovered on photos.shopify.com where arbitrary parameters were reflected in img tags without sanitization, allowing execution of JavaScript payloads via the pid parameter and other hidden parameters.

Tags
reflected-xss xss parameter-injection shopify bug-bounty source-code-analysis
Entities
Shopify photos.shopify.com pixieset.com Modam3r5
Reflected XSS at https://photos.shopify.com/ | by Modam3r5 - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Reflected XSS at https://photos.shopify.com/ Hi again ❤, Modam3r5 Follow ~2 min read · February 21, 2019 (Updated: December 7, 2021) · Free: Yes this time i would like to share an XSS bug that i found at Shopify, the bug was relay easy to find if you read the source of the page, so i hope what i would like to share help you to find a bug ^_^. Description : the domain https://photos.shopify.com/ is one of Shopify gallery site to share photos and information about event etc, so the first thing that i did to understand the site shows the source of the page and by looking inside it i notice that every image has a parameter `pid` which contains information about the ID of the image and it's included at the image TAG. this something good if you trying to find a hidden parameter to test an XSS attack or content injected at the site. so by adding this parameter to the end of the link and put this payload as the value for it javascript:alert("modam3r"). the XSS was run successfully for the first time, I was thinking that this kind of hidden parameter but after doing more search and try a random different parameter, collect that the site accepts any parameter and it returns with the value of it inside the `img` TAG, so any payload will be run successfully as I think. i send the report to Shopify and after one day i got this response so I moved and send the report to pixieset.com team about this, and they fixed the bug without any response to my report or give any bounty ^_^. Results or tips: always look for a hidden parameter, and try to use random parameters that maybe return with something good to you. keep in mind not all report will return with bounty sometimes it's return with Disappointment. Time Line: 11–02–2018 report send to Shopify . 12–02–2018 team response and closed as Informative. 12–02–2018 report send again to pixieset.com team with full details. 21–02–2019 the bug was fix by pixieset.com without any response from them. @modam3r5 #security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories