XSS on Shopify

Shopify is an e-commerce platform that enables individuals and businesses to create online stores.

yes, they have bug bounty program.

While testing I realized ,all the title fields are not sanitizing the JS .





I was like

I am rich


Reported the issue to the Shopify security team , they said “SELF XSS” . We don’t consider this an issue.

OK then,



They had  public forum(with login functionality) , I created  discussion title with XSS payload . When the page is published ,it triggered the payload just once. I tried again again by refreshing the page ,nothing happened.

I was frustrated , wrote “Fuck” in the comment and it reload the page and Bang !.


I got a XSS and this is not self this time. What I have to do is just a get a comment from the user on the discussion page.

They accepted this one , and one more HOF for me🙂




logging out……






















Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s