I found a strange behavior of Shopify, where an attacker can change the extension in a URL and the backend will send a type of HTTP content that matches that extension, for each of these extensions:
For example, https://gavinwahl-test.myshopify.com/.foo.yml returns & # 39; Content-Type: application / x-yaml & # 39 ;, even a 404. https: // gavinwahl-test. myshopify.com/ search.svg returns the HTML of the actual search page but with image / svg + html content-type.
The search page also allows you to insert the text (escaped in HTML) of your choice:
https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00 % 00% 00% 00% 00% 00% 00, for example, returns application / zip and is actually a valid zip file (despite having HTML around).
It seems that there should be a vulnerability here. The search query is escaped HTML, but we can tell the browser to interpret some other type of content that may have different escape rules. This has been done with EML files (Microsoft Outlook Express emails) previously. I know there are many vulnerabilities in which content of one type is interpreted as a different type of content, but Shopify states that this practice is safe and not exploitable.
Is there really a good argument that this is safe? Is there any way to get a reflected payload of xss based on the content type confusion?
(I have reported this as a problem to Shopify Security and they said it was safe, so I will publish it publicly)