Reflected XSS at https://photos.shopify.com/

Hi again ❤,

this time i would like to share an XSS bug that i found at Shopify, the bug was relay easy to find if you read the source of the page, so i hope what i would like to share help you to find a bug ^_^.

Description :

the domain https://photos.shopify.com/ is one of Shopify gallery site to share photos and information about event etc, so the first thing that i did to understand the site shows the source of the page and by looking inside it i notice that every image has a parameter `pid` which contains information about the ID of the image and it’s included at the image TAG.

this something good if you trying to find a hidden parameter to test an XSS attack or content injected at the site.

so by adding this parameter to the end of the link and put this payload as the value for it javascript:alert("modam3r").

the XSS was run successfully

for the first time, I was thinking that this kind of hidden parameter but after doing more search and try a random different parameter, collect that the site accepts any parameter and it returns with the value of it inside the `img` TAG, so any payload will be run successfully as I think.

i send the report to Shopify and after one day i got this response

so I moved and send the report to pixieset.com team about this, and they fixed the bug without any response to my report or give any bounty ^_^.

Results or tips:

always look for a hidden parameter, and try to use random parameters that maybe return with something good to you.

keep in mind not all report will return with bounty sometimes it’s return with Disappointment.

Time Line:

11–02–2018 report send to Shopify.
12–02–2018 team response and closed as Informative.
12–02–2018 report send again to pixieset.com team with full details.
21–02–2019 the bug was fix by pixieset.com without any response from them.

@modam3r5