Shopify - Xss in website's link

From Hackipedia
Jump to: navigation, search
Hackerone #54321
Target: Shopify
Target Module:
Type: XSS
Payload: javascript:alert(document.cookie);//http://dgddfgdfgg.ua
Original: Link
CVE:
Archive Screenshot

A popular XSS method is to use

javascript:alert(1)

in locations where you are allowed to add a link on your profile to your blog, facebook page, etc.

Judging by the payload used

javascript:alert(document.cookie);//http://dgddfgdfgg.ua

It is safe to assume that Shopify was using a little bit of input checked and was ensuring that http:// existed in the string, albeit not at the beginning.

The double-backslash (//) is used before the pseudo-URL because it is denotes a single line comment in Javascript. Using this accomplishes a couple of things.

  1. No closing tag is required for the comment (like /* other comment format */)
  2. All text behind the // is ignored by the Javascript syntax parser so it will not influence your attack vectors

How To Perform

  1. Find a place where user can insert a link
  2. Attempt a regular javascript:alert(1)
    1. Attempt to break input checking by using different methods
    2. javascript:alert(document.cookie);//http://dgddfgdfgg.ua
    3. javascript:alert(document.cookie);%0A//http://dgddfgdfgg.ua