$500 Bounty on Reflected XSS on Shopify

Member-only story $500 Bounty on Reflected XSS on Shopify Cyberbeat Follow 2 min read · Feb 21, 2024 243 3 Listen Share What is XSS? XSS stands for Cross Site Scripting. It is a vulnerability in web application where the attacker injects a malicious payload into the code of a website to gather valuable information of the victim or to lure the victim to take different action. what is Same Origin Policy and why does it matter? Same Origin Policy (SOP) is a security mechanism where the browser prevents scripts to run from origin X to access the data with origin Y. Cross Site Scripting abuses this functionality to gain information of the victim and exploits it to steal sensitive information, perform unauthorized actions on behalf of users or hijack user sessions. On worse cases, it could also lead to Cross Site request forgery (CSRF) and data breaches. How does it work? Press enter or click to view image in full size Three steps are included in XSS attack. Step 1: The attacker injects malicious code into the vulnerable website. Step 2: The victim logs into the application. As soon as the victim logs into the application, the malicious code is triggered.