We have developed a public app. We are using the same official tutorial for shopify .https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react
As a part of vulnerability testing we have encountered the below issues: -
1. Cross Site Scripting . We are consuming other third party API's. How can this Cross Site Scripting issue be resolved so that this can be fixed.
2. Output Encoding - It Says ": Output encoding allows web applications to handle unexpected output gracefully. Improper encoding or escaping
can allow attackers to change the commands that are sent to another component, inserting malicious commands instead." How do we fix this ?
3. Cross Domain Script Include - It Says ":Applications may include third-party scripts served from untrusted remote servers. If the source code on the
untrusted server is altered, changes will propagate to the user browser via the application"
We are using app bridge in our app. https://unpkg.com/@shopify/app-bridge@^1 _ this URL is causing the issue?
How do we fix this? How to enable this locally?
4. Cross Site Request Forgery
5. Shopify uses Session ID in URL. When session ID is passed in URL, the session ID will be logged in clear text and be more easily viewed by other parties.
It may be possible to steal the user-validated session tokens. An attacker with a valid session token may authenticate as a legitimate user without credentials.
Can anyone give an insight to fix this issues?
Thanks for participating in the forums!
If you believe you have found a security vulnerability, please report via our HackerOne page: https://hackerone.com/shopify?type=team
This ensures that we can fix the issue and notify affected parties before publicly revealing the vulnerability.