ScriptTag Security Best Practices?

Shopify Partner
70 3 5

The one thing I'm still slightly worried about with using scripttags is the possibility of an MITM attack. Or heck, even a direct attempt at exploiting my scripttag endpoints.

 

Due to the level of complexity of this app, the usual routine is not going to cut it for me. When a customer goes to a client's shop; the only thing I get server-side is the shop name via GET vars. There is no hmac I can use to authenticate the origin of the request. There is absolutely zero method available (as far as I can tell) to know for certain that I'm not getting fed spoofed IP's and DNS injections.

It would seem that all an attacker would need to do is fake their IP/DNS and send a request to my endpoints with "?shop=shopname.myshopify.com" at the end, and they can start poking, picking, MITM-ing, yadda yadda yadda.

What is everybody else doing? How are you securing your scripttags? *IS* there actually an hmac and/or nonce laying around in the cacophony of javascript spaghetti in the shop's storefront?

The best I have right now is that I'm checking as many server/env variables as is feasible; then I check for the shop in my database, at that point, my server says, "uh - ok, I guess that's good enough, here's the JS..." and let's the script load. Once that's loaded, it grabs the customer ID, and tags it onto the end of another URL along with a few other things, to kick it back to the server. Then the second script-load builds out the customer's personal settings and that's about it ... which all seems way too flimsy to me. I mean, I haven't actually tried to pentest it yet; but I'm almost 99% sure I could force the server to spill it's guts all over the web page.

What are you guys doing? Please tell me there's some obscure hidden blog somewhere, as per Shopify's M.O., that actually says there's an hmac/nonce I can pull back and validate - or some other far more secure method for handling this.

Seriously - please give me some good news

Most people, it turns out, just aren't interested unless they have to pay for it. Go figure.
0 Likes