Reflected XSS at https://photos.shopify.com/

Modam3r5
Modam3r5
Feb 21, 2019 · 2 min read

Hi again ❤,

this time i would like to share an XSS bug that i found at Shopify, the bug was relay easy to find if you read the source of the page, so i hope what i would like to share help you to find a bug ^_^.

Description :

the domain https://photos.shopify.com/ is one of Shopify gallery site to share photos and information about event etc, so the first thing that i did to understand the site shows the source of the page and by looking inside it i notice that every image has a parameter `pid` which contains information about the ID of the image and it’s included at the image TAG.

this something good if you trying to find a hidden parameter to test an XSS attack or content injected at the site.

so by adding this parameter to the end of the link and put this payload as the value for it javascript:alert("modam3r").

Image for post
Image for post
the XSS was run successfully

for the first time, I was thinking that this kind of hidden parameter but after doing more search and try a random different parameter, collect that the site accepts any parameter and it returns with the value of it inside the `img` TAG, so any payload will be run successfully as I think.

i send the report to Shopify and after one day i got this response

Image for post
Image for post

so I moved and send the report to pixieset.com team about this, and they fixed the bug without any response to my report or give any bounty ^_^.

Results or tips:

always look for a hidden parameter, and try to use random parameters that maybe return with something good to you.

keep in mind not all report will return with bounty sometimes it’s return with Disappointment.

Time Line:

11–02–2018 report send to Shopify.
12–02–2018 team response and closed as Informative.
12–02–2018 report send again to pixieset.com team with full details.
21–02–2019 the bug was fix by pixieset.com without any response from them.

@modam3r5

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store