Stored xss

Disclosed: 2018-11-07 19:09:57 By dr_dragon To shopify
High
Vulnerability Details
# Description : WAF cut html tages but when put <!--> before tages we can bypass it :) . #Step to reproduce : 1-Open your store account 2-Navigate to https://xxx.myshopify.com/admin/settings/general 3-Put your street address xss payload (xss"><!--><svg/onload=alert(document.domain)>) 4-Go to https://xxx.myshopify.com/admin/dashboards/live 5-XSS alert message ## Impact XSS attack
Actions
View on HackerOne
Report Stats
  • Report ID: 415484
  • State: Closed
  • Substate: resolved
  • Upvotes: 50
Share this report