I found a strange behavior from Shopify, where an attacker can change the extension on a URL and the backend will return an HTTP content type corresponding to this extension, for each of these extensions:
For example, https://gavinwahl-test.myshopify.com/.foo.yml returns & # 39; Content-Type: application / x-yaml & # 39; even if it is # 39; a 404. https://gavinwahl-test.myshopify.com/ search.svg returns the HTML of the actual search page but with the content type image / svg + html.
The search page also allows you to insert text (escaped html) of your choice:
https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%0000 % 00% 00% 00% 00% 00% 00, for example, returns application / zip and is actually a valid zip file (despite the HTML code surrounding it).
It seems like there should be a vulnerability here. The search query is HTML escape, but we can tell the browser to interpret into another type of content which may have different escape rules. This has already been done with EML (Microsoft Outlook Express mail message) files. I know there are many vulnerabilities in which content of one type is interpreted as a different type of content, but Shopify claims that this practice is safe and not workable.
Is there actually a good argument that this is safe? Is there a way to get a thoughtful xss payload based on the content type confusion?
(I reported this as a problem to Shopify Security and they said it was safe, so I'm posting it)