NewN-Day-BenchView benchmark
winfunc
Shopify App Security

Ship a Shopify app that passes review and survives production.

Winfunc's autonomous AI security agents audit your Shopify app's OAuth flow, webhook HMAC verification, App Bridge session tokens, and Admin API calls — find exploitable vulnerabilities, prove them with a working PoC, and open fix pull requests in hours.

Zero false positives — every finding is proven exploitable
Patches as pull requests, not PDFs
Continuous on every commit and PR

The Shopify app attack surface

A Shopify app is more than a web server. It is an OAuth 2.0 client, an embedded App Bridge iframe, a webhook receiver, and a privileged caller of the Admin API — all multi-tenant across every merchant that installs it. Each of those surfaces has its own failure mode, and each one is in scope for an App Store review.

OAuth flow & access scopes

Missing or replayable state parameters, over-broad scope requests, access tokens stored in localStorage, and callback routes that exchange codes without validating the shop hostname.

Webhook HMAC verification

Handlers that skip X-Shopify-Hmac-SHA256 verification, compare digests with non-constant-time equality, or compute HMACs over a parsed JSON body instead of the raw request bytes.

Session tokens & App Bridge

Embedded apps that trust the JWT from the iframe without verifying signature, dest, and aud claims — letting a malicious merchant context impersonate another shop.

Admin API & multi-tenant leakage

IDOR through shop parameter tampering, cross-shop data leakage in shared backends, and unscoped GraphQL mutations that let one merchant read another's orders or customers.

App Proxy & iframe injection

App Proxy endpoints that fail to verify the signature, return unescaped merchant input into the storefront, or open clickjacking and CSP bypass paths in the embedded admin.

Magecart & client-side skimming

Third-party scripts loaded into checkout or cart extensions without subresource integrity, missing CSP, and unchecked postMessage handlers that leak checkout data to attacker origins.

What winfunc finds in a Shopify app

Winfunc builds a semantic model of your app and reasons about Shopify-specific concepts — shop context, access scopes, App Bridge session tokens, webhook payloads — so it catches the vulnerabilities a generic SAST scanner leaves behind.

Source-to-sink data flow tracking across OAuth, webhook, and Admin API code paths
Business-logic flaws a SAST scanner cannot see — cross-shop leakage, scope escalation, replayed state
Executable proof-of-concept for every finding — never waste time on a false positive
Webhook HMAC verification audited against the raw request body, exactly as Shopify requires
GDPR mandatory webhook coverage: customers/data_request, customers/redact, shop/redact
PCI DSS 4.0 §6.4.1 / §6.4.2 evidence for payment-page script inventory and integrity
AI-generated patches delivered as pull requests against your real codebase
Continuous scanning on every commit and pull request — not a once-a-year snapshot
Built for Shopify readiness: catch App Store review blockers before submission

How it works

01

Connect the repository

Sign in, point winfunc at the GitHub or GitLab repo behind your Shopify app, and the agents start mapping the OAuth flow, webhook handlers, App Bridge surface, and every Admin API call on first commit.

02

Autonomous audit & triage

Winfunc builds a semantic model of the app, walks data flows from untrusted entry points (webhooks, App Bridge tokens, App Proxy) to privileged sinks (Admin API, database, file system), and proves each finding with an executable PoC.

03

Ship the fix

Every confirmed vulnerability comes with a patch opened as a pull request — diff, severity, exploit, and remediation rationale inline. Mean time to remediation drops from weeks to hours.

Compliance-ready out of the box

Every finding ships with methodology, exploitability proof, severity, and remediation evidence in a format Shopify App Store reviewers and SOC 2 / PCI DSS auditors accept.

Shopify App Store review

Mandatory GDPR webhooks, OAuth state, scoped tokens, HMAC verification

PCI DSS 4.0

§6.4.1 & §6.4.2 payment-page script inventory and integrity monitoring

SOC 2 Type II

Continuous monitoring, remediation evidence, auditor-ready reports

GDPR / CCPA

Customer data redaction and request workflows verified end-to-end

See what winfunc would find in your Shopify app.

Drop your work email and book a free audit. We'll run the agents against your codebase and walk you through the first kill chain on a call — no slide deck, no sales pitch.

Shopify app security FAQ

Common questions about auditing, hardening, and reviewing Shopify apps with winfunc.

What does a Shopify app security audit include?+

Winfunc's Shopify app security audit covers the full attack surface of a Shopify app: the OAuth 2.0 authorization-code flow and state validation, App Bridge session-token handling, webhook HMAC verification on every topic (including GDPR mandatory webhooks), Admin API access-scope minimization, App Proxy endpoint integrity, embedded-app iframe and CSP posture, and any custom backend that handles merchant or customer data. Every finding ships with an executable proof-of-concept and a pull-request-ready patch.

Does Shopify review my app for security before App Store approval?+

Yes. The Shopify App Store review checks for required security controls including mandatory GDPR compliance webhooks (customers/data_request, customers/redact, shop/redact), correct OAuth state handling, scoped access tokens, and webhook signature verification. Reviewers also probe for common web vulnerabilities. Winfunc runs the same checks continuously on every commit so you catch review blockers before submission — and keep catching new ones as the app evolves.

How does winfunc find vulnerabilities a SAST scanner misses?+

Traditional SAST relies on regex and shallow AST patterns. Winfunc builds a semantic model of your app — understanding Shopify-specific concepts like shop context, access scopes, App Bridge session tokens, and webhook payloads — so it can find business-logic flaws such as IDOR via shop parameter tampering, cross-shop data leakage in multi-tenant backends, and missing HMAC verification on admin-order webhooks. Every finding is proven exploitable with a working PoC.

Can winfunc verify webhook HMAC validation bugs?+

Yes. Winfunc reasons over the raw request body path in your webhook handlers, detects when the X-Shopify-Hmac-SHA256 header is skipped, compared with non-constant-time equality, or computed against a parsed (rather than raw) body — and writes a PoC that submits a forged webhook payload your handler will accept. The fix is delivered as a patch using crypto.timingSafeEqual against the raw body, exactly as the Shopify docs require.

How is this different from a manual Shopify app pentest?+

A manual pentest is a snapshot taken over a few weeks. Winfunc runs continuously on every commit and pull request, so new OAuth scope additions, webhook handlers, and Admin API calls are audited the moment they land — with the depth of a senior security engineer's review. You get exploitability proof, severity, and a ready-to-merge patch in hours, not a PDF at the end of the engagement.

How long does an initial Shopify app security audit take?+

Most Shopify apps get their first actionable kill-chain report within hours of connecting the repository. Winfunc's agents map the OAuth flow, webhook handlers, Admin API calls, and App Bridge surface immediately, then triage and prove exploitable findings before opening fix pull requests. There is no scheduling, no kickoff call, and no waiting on a human queue.

Do you support custom and private Shopify apps too?+

Yes. Custom apps and private apps built for a single merchant still handle access tokens, webhooks, and Admin API credentials — and are often the ones with the least review. Winfunc audits any codebase that talks to the Shopify Admin API, App Bridge, or Shopify webhooks, including headless Hydrogen storefronts and custom checkout extensions.

Are the findings compliance-ready for SOC 2 and PCI DSS audits?+

Yes. Every finding includes methodology, exploitability proof, severity, and remediation evidence in a format SOC 2 and PCI DSS auditors accept. For apps that touch checkout or cardholder data flows, winfunc also documents PCI DSS 4.0 requirements 6.4.1 and 6.4.2 (payment-page script inventory and integrity monitoring) so you can demonstrate Magecart controls.

Ready in hours

Audit your Shopify app before reviewers — and attackers — do.

Book a free audit. Winfunc's agents will map your app's attack surface, prove exploitable findings, and open fix pull requests the same day.