Shopify Penetration Testing: Liquid SSTI, Theme Security & App Proxy

Shopify powers thousands of e-commerce stores worldwide. The platform is generally secure (Shopify manages infrastructure and payment processing), but custom themes, internally developed apps, and Shopify Plus custom configurations expose specific attack surfaces. Matproof Sentinel runs Shopify pentests focused on Liquid SSTI, theme XSS, app proxy abuse, and webhook signing, with audit-ready GDPR/PCI-DSS reports from €149.

Start free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why Shopify requires specific pentest expertise

Shopify is the dominant e-commerce platform globally, with over 175,000 active merchants in Europe in 2024. While Shopify manages infrastructure and payment processing security (PCI-DSS Level 1), the responsibility for custom themes, in-house apps, and Shopify Plus configurations is the merchant's. Liquid (Shopify's template engine) is generally sandboxed, but implementation errors can enable SSTI (Server-Side Template Injection). For Shopify Plus with custom apps, the app proxy is a classic attack surface: if authentication doesn't properly validate Shopify's HMAC signature, an attacker can fake legitimate storefront requests. CVE-2022-21664 (Shopify Marketplace, 2022) exposed exploitable bugs in review submission validation.

CVE-2022-21664 (Shopify Marketplace): exploitable bug in review submission validation — indicative of attack patterns on Shopify platform.
Liquid SSTI: implementation errors in custom themes can enable SSTI via Liquid objects with unsanitized user input.
Theme XSS: theme.liquid with user input in query params, customer reviews/comments without proper escaping.
App proxy abuse: custom apps with app proxy that don't validate HMAC signature from Shopify.
Webhook signing: custom webhook endpoints that don't verify X-Shopify-Hmac-Sha256 header.
Shopify Plus scripts (Ruby): Shopify Scripts (deprecated 2024 in favor of Functions) may still have legacy applications.
GDPR Art. 32 for customer data: Shopify manages much, but data export via apps and custom integrations is the merchant's responsibility.

What we specifically test in a Shopify store

Theme.liquid audit: search for Liquid SSTI patterns (output of objects with user input), XSS in customer reviews, exposed metadata via unsanitized {{ }}.
Theme customization permissions: settings_schema.json and settings_data.json for admin input validation, theme app extensions security.
Custom apps: app proxy HMAC signature validation, webhook endpoints HMAC verification, OAuth scope minimization, API token rotation.
Storefront API: rate limiting (Shopify sets a limit but it may be insufficient), customer enumeration via GraphQL queries, exposed private metafields.
Checkout extensions: server-side payment validation (never trust client), custom shipping calculators with input validation, post-purchase upsells with cross-selling auth.
Shopify Functions (Rust-based, 2024+): Function code review for manipulable pricing/discount/shipping logic, exploitable performance issues for DoS.
GraphQL Admin API: query depth limiting, exposure of unnecessary data, scope token analysis.
Webhooks reliability: idempotency check, signature verification, replay attack prevention with timestamp.
Liquid template performance: search for constructs that can cause DoS via infinite loops or nested for-loops in custom themes.
PCI-DSS scope: for Shopify Plus merchants with custom checkout, verification of correct PCI-DSS scope.

Sample finding

High

App Proxy without HMAC validation — forge of storefront requests

The Shopify custom application uses an app proxy to serve an internal mini-app accessible via /apps/custom-config. The backend endpoint doesn't validate the HMAC signature sent by Shopify in the signature URL parameter. An attacker can send arbitrary requests to the backend endpoint pretending to come from Shopify storefront — including manipulation of customer_id, shop, and logged_in_customer_id query parameters. The test enabled: (1) reading customer order history of other users via customer_id manipulation; (2) injection of admin parameters; (3) potential cross-customer data leakage.

Fix: Immediate action: implement HMAC signature validation in all app proxy endpoints. Complementary actions: rotate Shopify API secret if non-validation was in production > 24h; audit logs of last 90 days for anomalous requests; rate limiting at WAF level; timing safe check to avoid side-channel timing attacks.

Reference: Shopify App Documentation - HMAC Validation · CWE-345 Insufficient Verification of Data Authenticity · OWASP A02:2021 · GDPR Art. 32(1)(b)

Shopify pentest options compared

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Shopify pentest packages

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about Shopify pentest

Doesn't Shopify already handle all security? Why a pentest?

Shopify manages infrastructure and payment processing (PCI-DSS Level 1), but responsibility for custom themes, internally developed apps, and integrations is the merchant's. For Shopify Plus with custom Liquid, app proxy, custom checkout extensions, or Shopify Functions, a pentest is essential.

Do you also test apps installed from the Shopify App Store?

For public apps from the App Store (Shopify verifies), risk is low. We test instead: private/development apps developed by the merchant, custom apps from partners, less popular apps (< 1k installs) that may have minimal security review.

What do you test for Shopify Functions?

Shopify Functions (Rust-based, GA 2024) has its own specific security: Function logic input validation, performance limits (Functions have 11ms timeout — exploitable if logic is complex), manipulable business logic for discount/shipping/pricing.

Can we integrate Matproof in our CI/CD for Shopify theme deployment?

Yes. For Shopify CLI workflow: GitHub Actions integration on PR to main branch theme repository, automated scan on each `shopify theme push`. Critical/High findings can block deploy.

Does the pentest cover PCI-DSS compliance for our Shopify stores?

Shopify has PCI-DSS Level 1 certification. If you use Shopify Payments (native gateway), your PCI-DSS scope is minimal (SAQ-A). If you use alternative gateways, the scope extends.

Do you also test Hydrogen (Shopify React framework)?

Yes. Hydrogen is a Next.js-based framework for Shopify headless commerce. Combines Next.js risks (CVE-2024-43481 middleware bypass, ISR cache poisoning) with Hydrogen-specific: Storefront API token management, customer authentication.

How long does a complete Shopify pentest take?

Automated scan: 45-60 minutes for Shopify standard, 90-120 minutes for Shopify Plus with custom apps. Audit-ready report within 24 hours.

Is the report accepted for GDPR audits and marketplace security questionnaires?

Yes. The technical report provides evidence of adequate security for GDPR Art. 32. For marketplaces requiring security questionnaires (Amazon Vendor Central, ePrice B2B), the Matproof Sentinel report directly answers technical questions.

Go deeper — related blog articles

Protect your Shopify store now

First scan in 3 minutes, complete Shopify pentest in 45-90 minutes. Audit-ready GDPR/PCI-DSS report from €149.