To continue accessing Shopify Help Center support, please verify and complete your account information below.
Your account is missing required information. Please fill in the fields marked with * before continuing.
As it appears on your account
Email address cannot be changed here
This page simulates Shopify's help center account confirmation endpoint.
The ?returnTo= parameter is intended to redirect users after they confirm their details.
Unlike the previous labs, there is no HTML to break out of.
The input lands directly as an href value. The question is:
what URI schemes does a browser accept in an href attribute?
Try: ?returnTo=javascript:alert(document.cookie) — then click Continue.
Bonus: The same parameter also enables an Open Redirect.
Try: ?returnTo=https://evil.com and click Continue.