On December 7th, 2015, a bug bounty hunter called Harishkumar reported a CSRF vulnerability to Shopify, a method contained in the Shopify API.
The weakness analyzed by Harishkumar is the following:
<html> <head><title>csrf</title></head> <body onLoad="document.forms[0].submit()"> <form action="https://app.shopify.com/services/partners/api_clients/1105664/export_installed_users" method="GET"> </form> </body> </html>
As you see, the export_installed_users method is called by a GET request using the action parameter in a form. This means that when it is called, all the information available about the application is used to perform the request. Harishkumar took advantage of it to perform the attack.
As a tip to discover vulnerabilities like this, you can do the following:
- Analyze the HTTP requests and responses, looking for missing CSRF token protection. You can find them in the headers—if there is no token, it is possible to exploit the vulnerability.
- Check the URLs that are involved in each request in the forms. This could be detected by doing requests to APIs, like this bug.
If you want to read more about this bug, check out https://hackerone.com/reports/96470.