Specifically, we are looking at Reflected XSS (RXSS) in e-commerce services. According to the 7th Annual Hacker-Powered Security Report, Reflected XSS accounts for 10% of all bugs reported in ecommerce organizations, making it one of the top three vulnerability classes in that sector.
In this blog, we will examine a real Shopify RXSS bug that could be abused to steal information from customer accounts if they are logged in to Shopify's affiliate program.
What Is Reflected XSS?
Reflected Cross-Site Scripting (or RXSS for short) is a very common web vulnerability where unsanitized input from the user is reflected back in the website's code in a way that allows browser Javascript execution in the context of the vulnerable site. The attacker could usually exploit RXSS by crafting a link with malicious input and sending it to a logged-in user (such as a customer or even staff member) to execute Javascript code and perform an action in the context of the authenticated user. This could lead to unauthorized access to sensitive information, the creation of unauthorized material (such as new users and posts), and even privilege escalation if the logged-in user has access to administrative functionality on the application.
Business Impact of Reflected XSS in Ecommerce
- Customer account breach: As RXSS commonly requires user interaction to exploit, it could create quite a noticeable customer impact, such as customer accounts being breached or their information being stolen via phishing attacks. Its abuse could be chained with common misconfigurations such as bad email security records to send phishing links, and as a result, some customers could notice that their accounts are at risk.
- Data breach: Data could be exfiltrated from users, exploited using RXSS, and sold on the dark web. Since attackers could access information from user profiles and other sensitive areas on the site when RXSS is exploited in a logged-in user session, they could steal Personally Identifiable Information (PII) and cause your organization to experience both financial and legal impact.
- Fraudulent transactions: In terms of e-commerce applications, being able to perform actions as another user means they could potentially make fraudulent purchases as the user in order to steal their money (for example, create fake products on a shopping site and force users to purchase them through RXSS). This can cause serious financial and reputational damage to your business.
Details: The Bug Report
As good bug bounty hackers often are, this hacker was on top of newly created domains; e-commerce platforms often have a large attack surface and constantly evolving services. In this case, the hacker was testing the new Shopify Collab domain, hosting the new platform for content creators/influencers to discover and advertise Shopify's millions of brands.
He first created an account on the site by applying for early access and then connected his social media account to his new Shopify Collab profile. When logging in, he noticed that the post-login redirect URL had a creator_redirect parameter, which he replaced with a Proof-of-Concept Javascript protocol link. He was able to execute Javascript in the context of his browser window when the domain api.collabs.shopify.com was open.
In the report, he accessed a pretty innocuous Javascript variable (document.domain) just to prove that he has access to the document's context in the browser:
In a real-world attack, a malicious attacker would likely remotely load JavaScript to execute, such as using xsshunter to load a callback hook onto the page, perform unauthorized actions as the logged-in user by making HTTP requests with the fetch() API, or steal sensitive data by accessing the document.cookie.
Remediation
Generally, organizations fix XSS issues with input sanitization, such as properly HTML-encoding user input before it is used.
In the case of this bug, the bug is a lack of sanitization of the creator_redirect parameter before it's used. The word "redirect" suggests it is used for a redirect URL, which means it might also have been vulnerable to an open redirect vulnerability.
However, instead of just reporting it as an open redirect vulnerability, the hacker found that it was also a reflected XSS since javascript: URLs could be used (instead of a normal https:// URL). With the ability to execute javascript in the context of the Spotify subdomain instead of redirecting to a new website, the hacker demonstrated higher impact, leading to better payout. In that case, the proper remediation should only allow URLs that start with https:// followed by an allowed list of domains (such as collabs.shopify.com).
Furthermore, XSS filtering should always be performed at the backend (on the server side) instead of using any frontend JavaScript to filter out invalid input (JavaScript can be used to validate input in a submission form to lighten server load initially, but checks should also be performed at the backend).
Conclusion
Reflected XSS is one of the most common vulnerabilities in web applications, so it’s no surprise that it pops up a lot in e-commerce; if exploited by malicious actors, it could have had serious business impacts on customers. Fortunately, in this case, the new domain on the Shopify bug bounty program was tested promptly by hackers in the HackerOne community, and the vulnerability was quickly found and fixed.
Secure Your Web Application From XSS With HackerOne
The advantage of having a bug bounty program is that hackers from our community constantly test your new applications, domains, and API endpoints as soon as they go live. HackerOne and our community of ethical hackers are best equipped to help organizations identify and remediate XSS and other vulnerabilities, whether through bug bounty, Pentest as a Service (PTaaS), Code Security Audit, or other solutions by considering the attacker's mindset on discovering a vulnerability.
Download the 7th Annual Hacker Powered Security Report to learn more about the impact of the top 10 HackerOne vulnerabilities, or contact HackerOne to get started taking on XSS vulnerabilities at your organization.