On December 21th, 2015 a bug bounty hunter called kranko reported a very simple vulnerability in Shopify, an application to create online stores.

The XSS is given in the next line:

    https://wholesale.shopify.com/asd%27%3Balert%28%27XSS%27%29%3B%27

As you can see, this XSS is reflected. We can see this because it exploits a GET request.

Maybe you are confused, because you cannot see the parameter that is injected by the attacker. There are some applications that use this kind of magic URL. That means in the URL, each word could be used as a parameter. This kind of magic URL is very common in applications that auto-generate URLs, such as blogs, online stores, or news websites.

Finally, we can see that, in order to avoid the filters, the string injected into the parameter is encoded.

If you want to read the complete report, you can find the original post here: https://hackerone.com/reports/106293.