how to report bugs on shopify

all right we are live for the first time,ever so uh what i want to do today is i,want to,analyze an xss vulnerability with you,and we it was reported to shopify on,hacker one,and it was awarded 3 500 just for this,one vulnerability,but was it really worth more the answer,may surprise you since i'm doing this,live stream about it then the answer is,probably yes,it was worth more and so um what i want,to do is go over this,and talk about how it was found because,this is a skill that can,that if you have found this it could,have earned you,3 500 so we're all missing out on that,money,all right so uh i'm gonna i'm gonna help,out um,try to analyze this and go through so,you understand,how it works and where we can go from,here,all right so let me share my screen,first and this,is going to be where it was reported on,hacker one,so there was this this place so it was,for shopify this is one of their sites,that's in scope,in the bug bounty program and so um this,exchange marketplace the way it works um,i actually don't want to spoil it if you,want to do it on your own because i,actually created,a practice website that you can use to,test your skills if you want to find,this vulnerability that could have,earned you 3 500,all right and so this is the site it,looks very similar to the other ones,this one's exchange but this,is xss change,so uh yeah this is the site that you can,practice on,um and i can actually uh let's see where,is this,if you can't access this or if you can't,see the url,it is right here,all right working on my live stream,skills right now,all right so i got this i got this url,or you can just go to codepen dot io,slash chef secure and you can navigate,to this one the 3 500,shopify hack and you can try out find,the vulnerability in this page,and if you find it then you could have,got 3 500,and so um so before we go into that um,what i want to do is walk through the,vulnerability and and talk through it,and if you want to find it on your own,again you can pause this video,or come back later whatever it might be,and so i'm going to take this off,and we're going to get to it so let's go,to the hacker one page,this was reported by the user fatal,zero my good buddy fatal zero,never met you but you're my good buddy,and so uh,i'm listen i'm gonna try to get you some,extra money today,so we'll see we'll see if shopify is uh,is it's hearing these words all right so,final zero,uh report and exercise vulnerability on,exchange marketplace dot com slash blog,search,through the q parameter all right so you,just,add your xss payload to the cube,parameter,and then it can trigger the xss,all right so let me refresh this so i,can play the video that they posted,and so this is,all right so they put in their payload,and when they mouse over this subscribe,it alerted this um,this prompt and so basically again you,know prompts alerts,they're just demonstrating that,you can get cross-site scripting you can,get javascript around the page which,means the attacker,has full control over the page all right,and that,is a very very key point is that the,attacker has,full control of the page,you'll see why in just a minute all,right so,let's go through this and show how you,can find this vulnerability this is the,process,that i recommend to all my students,taking my xss course they ask me,what is the process that i can follow to,help me find vulnerabilities,um and so far has been very very,successful to a lot of them,and so hopefully this helps you and so i,want to walk through,how i would go about finding a,vulnerability on this web page,all right so the first step is just to,see what context,you can inject into all right so i just,want to type in,anything this asdf right here all right,and so i'm,again i modified this page um just so,it's a replica,of the real page all right just so you,can,practice on it and it's much more,simplified and so,whenever you change something on here,this is what would trigger the alert,rather than,typing in a url and visiting the page,itself all right so we have asdf that we,injected into the page,and so the way i want to go from here,like where i want to go from here is i,want to right click and inspect,and again see the options see where you,injected into onto the page,so i will push command f or control f,if you're on windows and search for asdf,and this this is how you can see exactly,where you're injecting into the page,alright so right now there are two,places i'm hitting enter to toggle,through,and if you see let me make this bigger,and working,all right,that's way bigger i don't want it that,big all right here we go here's the,first one asdf,we have it inside of the span element,and if i move this down,and hover over it you can see it's right,there at the top of the page where you,could see it originally,but this is another tip whenever you're,injecting into the page,it could be invisible like you it could,be somewhere that you don't even see,so it's important that you search for,every possibility when looking for,xss vulnerabilities so if i hit enter,again,i see it somewhere else it's in a,subscribe button,all right so let's see where that is if,i hover over this,it's right there on the right side of,the page this subscribe,button right here all right so those are,two places where you're injecting,all right so let's just break this down,piece by piece,and let's see if we can find the,vulnerability,so the first step right here this asdf,this is inside,html content okay and,being inside html content that means one,thing it means we,have to inject html tags in order for,this to work,all right so in order to get xss when,you're inside html content,you must inject html tags so let's try,that let's try to do something like that,so instead of,just asdf let's try to make a html tag,and we can do a paragraph so,let's try this with p and close p,all right this did not work otherwise if,it injected a paragraph you would see it,on a new line,like i can change this also let's make,it i for italic,okay and it's not it's it's not,italicized it's,it's not it's not slanty text all right,it's just straight vertical text like,normal,and so this means that again this,is in the html content and i tried to,inject an html tag,which is the only way to get xss in html,content,and it didn't work all right because i,cannot inject any html,all right instead it's just treated as,text this means that the page,is escaping this properly as it should,so great job so far now there is another,place though,that we haven't tried out yet so let's,just reset this,go back and type in asdf all right and,now i'm going to inspect the page,and let's see what we got here i'm going,to go to the second place,in that subscribe button and i see right,now it's,just set as an attribute all right,there's nothing it's not,it's not actually in an attribute it's,just being added inside of this tag,instead of this button right here okay,and so that means that,first off if if we can see if let's see,if we can,break out of that all right because we,want to get into html content we already,know we can get into html content,to um we already know how to,exploit html content all right we just,add in a new tag,so let's close this tag and then add in,let's say an image tag,actually i don't want to do that because,i want to focus exactly on what we're,doing,because remember we're in the html,content all right so we don't need to,simplify this too much because you know,you can have,um you know more advanced skills you can,you can learn more than just,a script tag a basic script tag because,i believe in you all right,so you can learn um let's talk about um,what is it called event handlers okay,so let me talk to you about event,handlers and that is exactly,what this person did they did on,mouseover,and prompt hacked all right so let's,actually copy this right here,from this and if you don't have this,then let me share this with you,working on my live stream skills right,now this is this hacker one report right,here,so attacker one dot com slash reports,slash one one four,five one six two if you want to follow,along with that,all right so this is where i am right,now i'm copying over this payload,that fatal xero submitted and i'm,putting it into my example,here on codepen and let me paste it in,there we go on mouse over prompt hacked,and so,just like we saw in the video let's try,to do this we'll mouse over the,subscribe,and there is the prompt okay so this,shows that xss was achieved because our,javascript ran on the page,got it cool so one thing,is that you see this it's different,capitalizations this is to evade filters,now when i was looking at this page i,did not see any filters,okay so that means it was largely,unnecessary you didn't really need to do,that,so fatal zero probably actually just,copied this from maybe,a exercise cheat sheet or just had some,or was just doing this,as a preventative measure just to bypass,any kind of filter that may be there,alright so we don't actually need that,okay so we just if we just change this,on mouse over and then change it to an,alert,just keep it simple this is exactly what,i teach in the course,all right and so on that's over it's an,alert,all right there it is and let's inspect,this page just to see exactly what's,going on again,so if we search for that button again,control,f and i'm gonna search for alert,first place and here's the second place,all right we have this button right here,and then the on mouse over attribute is,set to alert and,that is how event handlers work so we,added a new html attribute and set it to,alert,and this is why our javascript runs this,is why there is xss,that's worth thirty five hundred dollars,okay,so is that making sense right now i got,a few,folks in here hello everybody thanks for,joining,all right and so um what i want to go,through now is,why they gave 3 500,so they have a calculator all right,based on,the different factors okay and so i put,in,all these into the calculator right now,all right and if you see,since it's a non-core environment the,bounty was 3 500,okay so makes sense everything was good,um,so the complexity was high the,privileges required were none,you could just access anybody send them,this link and then you know if they,followed it then they can be,attacked if they were to mouse over,that subscribe button all right,unless the user interaction,was not required all right,so their explanation was we're awarding,3 500,bounty for this issue then they linked,to the cvss calculator,and they set attack complexity to high,um so on and so forth but here is the,key component,right here all right user interaction is,required for this attack,as the target user must click on a,malicious link,okay that is true all right there is,some user interaction,and the target does have to click on a,link,however let's go through and see if,possibly there could be less user,interaction okay,so first of all um,we can go over and talk about this right,here like let's say this,wasn't on um a page where you had to go,through a url,let's say it was just on the subscribe,page right here,and you can just get there what we need,to do is try to minimize the user,interaction,all right and so let's try to do that so,remember whenever we have xss,we have full control over the entire web,page,alright so as attackers what we can do,is use the tools of developers,all right and change the web page itself,okay so what we can do instead of just,alerting is change the style of the page,all right so in order to do that what we,can do is set,style equal to and i'm just going to go,through this i break this down,in other videos and i even have it in my,course,an xss course which you can find,right here at the website chefsecure.com,courses slash xss and so,let's see what we can do to minimize the,user interaction,on this page for mousing over the,subscribe button,okay so the style what we want to do,is again i'm just going to breeze,through this so position,is fixed top 0,left 0 and then width,100 and height,sent then,let me let me before i go further let's,just try this,right you see i just clicked out of,there and it automatically executed,all right and this is why,so i made the subscribe button fill the,entire web page,this will completely eliminate the user,interaction required,to exploit this understood,so what we're doing here is before,what we had to work with was just the,small little subscribe button right here,the user had to mouse over it,or the user had to click it if there was,an on click event handler,and then it would trigger the alert but,in this case,it's filling the entire screen with,subscribe,now if we do this again,but this time let's say we want to make,it less suspicious,the way we could do that is very similar,and that's what i was talking about,before is let me copy,this payload that i have right here and,then,i will paste it in,and then it's going to set background to,all right so now when i do this,you see the alert comes up automatically,i click ok,and then it doesn't fill in the entire,page with this,now remember with javascript you control,the entire page so i can clean this up,and make it look,you know much better much more prettier,whenever this happens,and again like this is automatically,gonna happen like where is the user,interaction here,there is virtually none there is no user,interaction whenever,you do this because it automatically,happens because,it fills the entire page and it's,looking for on mouse over event,and so once you load the page this is,pretty much automatically going to run,eliminating user interaction entirely,so if you look in here,what is the user interaction so it,depends on what they're talking about,if they're talking about the user,interaction to mouse over,or click on the subscribe button or if,it's just to get,to this page all right and so,one thing to consider is if the user,interaction is,not for the,or rather if the user interaction is,talking about the subscribe button,we just eliminated that because we,filled the entire page with css,to make it automatically execute the xss,all right so keep this in mind whenever,you're,submitting vulnerabilities if you find,any because,this can raise the severity of the,exploit,which could potentially result in a,higher bounty,okay and so the interaction here it's uh,you know what fugazi is,fugazi it's a wise it's a woozy it's a,it's not real it's nothing there's no,user interaction,all right because it's automatically,gonna happen once you go to a web page,you're automatically gonna put your,mouse,over it and it's gonna execute so if,there's no user interaction,all right there's none here this will,raise the bounty,to 5 300 that's that's a lot more,than 3 500 all right that's 1800 more,that's over 50 percent,more for the bounty award,all right and so keep that in mind if,if you are looking for vulnerabilities,so i don't know again,you know what shopify is referring to um,or,if fatal zero knew about this but if,this does,increase the likelihood of getting you,know,a greater uh bounty,then uh you know i think now the awesome,for uh shopify to definitely,award fatal zero um the,the extra the extra bounty if uh,you know it makes it makes sense to them,because i think this is an awesome find,and i think that you know fatal zero did,a great job and helped out,quite a bit so that's all i wanted to do,today is go over that and show you how,basically the process of how you can,find xss vulnerabilities,and also how you can write up your,reports and create your payloads,so that you can potentially increase the,amount of bounty,that you have all right so that is all i,got,and so i will see y'all again next time,thanks for joining,and take care peace

Congratulation! You bave finally finished reading how to report bugs on shopify and believe you bave enougb understending how to report bugs on shopify

Come on and read the rest of the article!