ScriptTag Security Best Practices?

PhobosTech
Shopify Partner
80 3 10

The one thing I'm still slightly worried about with using scripttags is the possibility of an MITM attack. Or heck, even a direct attempt at exploiting my scripttag endpoints.

 

Due to the level of complexity of this app, the usual routine is not going to cut it for me. When a customer goes to a client's shop; the only thing I get server-side is the shop name via GET vars. There is no hmac I can use to authenticate the origin of the request. There is absolutely zero method available (as far as I can tell) to know for certain that I'm not getting fed spoofed IP's and DNS injections.

It would seem that all an attacker would need to do is fake their IP/DNS and send a request to my endpoints with "?shop=shopname.myshopify.com" at the end, and they can start poking, picking, MITM-ing, yadda yadda yadda.

What is everybody else doing? How are you securing your scripttags? *IS* there actually an hmac and/or nonce laying around in the cacophony of javascript spaghetti in the shop's storefront?

The best I have right now is that I'm checking as many server/env variables as is feasible; then I check for the shop in my database, at that point, my server says, "uh - ok, I guess that's good enough, here's the JS..." and let's the script load. Once that's loaded, it grabs the customer ID, and tags it onto the end of another URL along with a few other things, to kick it back to the server. Then the second script-load builds out the customer's personal settings and that's about it ... which all seems way too flimsy to me. I mean, I haven't actually tried to pentest it yet; but I'm almost 99% sure I could force the server to spill it's guts all over the web page.

What are you guys doing? Please tell me there's some obscure hidden blog somewhere, as per Shopify's M.O., that actually says there's an hmac/nonce I can pull back and validate - or some other far more secure method for handling this.

Seriously - please give me some good news

Most people, it turns out, just aren't interested unless they have to pay for it. Go figure.
sravans
Excursionist
12 0 3

@PhobosTech 

How did you managed to secure the REST endpoints exposed via Script Tag?

I'm surprised no one from Shopify responded to it for such an important topic.

PhobosTech
Shopify Partner
80 3 10

That is a good question.

I actually had to hack the shnippers out of my endpoints.

First,  I had to configure my server to serve my server-side scripts as if they were JS files. So - for example:

My endpoint file is - oh, let's call it ... my_scripttag.js.rb

So it's actually a Ruby file (or Python, or PHP ... or whatever you happen to be serving)

Then I instructed my server to, when my_scripttag.js is called (notice it's my_scripttag.js ... with a .js at the end), run my_scripttag.js.rb as the server-side file it is. Then, spit back actual generated JS from the ruby file.

This way, I was able to generate a nonce and actually perform several other security measures that would otherwise have been impossible. Now, this isn't perfect - BUT - it's a lot better than doing nothing.

The largest problem with this is that you cannot be absolutely sure who's calling your scripttag; BUT you have almost total control (security wise) of everything that happens after that.

For most things - this works, and if it doesn't, there's almost surely a way to figure it out.

I hope that helps you

And yes - very lame that Shopify has not addressed this issue. Even more lame that it seems to be something that almost everybody else has totally ignored. But ... what do you do?

Good luck!   

Most people, it turns out, just aren't interested unless they have to pay for it. Go figure.
0 Likes
PhobosTech
Shopify Partner
80 3 10

Hey,  just and FYI - I had posted an answer, but the automated spam filter apparently thinks it's possible spam. So - we'll await the morning spam review process. If they don't release the answer, I'll post a new one - but they should ... I mean, it's sure as crud not spam, sooo ... *shrugs*

Most people, it turns out, just aren't interested unless they have to pay for it. Go figure.
0 Likes