How I Earned $1750 at Shopify Bug Bounty Program

Introduction

This article is a write up on how I found a critical XSS vulnerability at Shopify Core in Shopify Bug Bounty Program due to which I was Acknowledged and listed in Top 10 at Shopify Hacker’s Hall of Fame in the World.

I wrote this for educational purposes only. Do not perform any illegal activity or pen-testing without permission.

Introduction to Cross-site scripting ( XSS )

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

Vulnerability exploitation

So my target was Shopify because they are very fast in response and resolving reports. I started surfing your-store.myshopify.com and I went to settings and found Login Services which was quite an interesting part.

I Enabled Google Apps for login to check what exactly happens when we give permission to Staff members to log in through Google.

Now we have Log in with Google option Enabled !!

Now My Favourite way to hunt such bugs is whenever I look at such options or links first thing that comes in my mind is Open Redirect !!

What is Open Redirect?

One of the most common and largely overlooked vulnerabilities by web developers is Open Redirect (also known as “Unvalidated Redirects and Forwards”). A website is vulnerable to Open Redirect when parameter values (the portion of URL after “?”) in an HTTP GET request to allow for information that will redirect a user to a new website without any validation of the target of the redirect. Depending on the architecture of a vulnerable website, redirection could happen after certain activities, such as login, and sometimes it could happen instantaneously upon loading a page.

An example of a vulnerable website link could look something like this: https://www.example.com/login.html?RelayState=http%3A%2F%2Fexample.com%2Fnext

So now to hunt Open Redirect I always prefer Burpsuite without wasting any time I opened Burpsuite and Intercepted my request when I clicked on Log in with Google I got one parameter named as “google_apps_uri”

I changed the Value of “google_apps_uri” to evilzone.org and I was redirected to evilzone.org but Shopify don’t accept Open Redirect.

Shopify says,

“Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.”

So now my next step was to make this Open Redirect to XSS.

Never give up easily !! I went back to the URL and changed Value of “google_apps_uri” to javascript:prompt(document.domain)

and BOOM !! XSS was triggered and I was like

I went back to hackerone wrote a nice report and submitted to Shopify, as usual within 4–5 hrs my report was Triaged and within a day it was Resolved and Shopify Awarded me with $1750 !!

HackerOne Report:

https://hackerone.com/reports/691611

POC Video:

If you need any help or want to connect, you can connect with me via Linkedin at https://in.linkedin.com/in/ashish-dhone-640489135

I hope it will help you in your bug hunting !!

Thanks for Reading !!

./Keep_Hacking

Information Security Analyst at Persistent Systems | Synack Red Team Member | CEH v10 | CEH Master | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store