We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at FoxyCart. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Foxy. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers. We appreciate the community's efforts in creating a more secure world.
No technology is perfect, and we at Foxy believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
- Denial of Service attempts
- Social engineering (including phishing) of Foxy staff or contractors
- Any physical attempts against Foxy property or data centers
Thank you for helping keep Foxy.io/FoxyCart.com and our users safe!
Before You Begin
- Please read and follow the rules in HackerOne's Standard Disclosure Terms.
- Review the "Out of Scope" section below.
- Please review the "Known Issues" below.
What, Where, and How to Test
At it's simplest, FoxyCart works by adding products to a
/cart endpoint via
POST request. Click here for some examples on our homepage.
To do more in-depth testing and create your own account:
- Create an account at https://admin.foxycart.com/signup/.
- When creating your account, please use the string
HackerOnein your first name, last name, or email address.
- When creating your store's subdomain, please use the following format:
- When creating your account, please use the string
- Test as desired. You can use the default Authorize.net gateway test account and the test credit card
4111 1111 1111 1111to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.
- Create an API client at api-sandbox.foxycart.com or from the "integrations" page in the admin. The API uses Oauth 2.0, and can handle nearly every request that admin.foxycart.com can.
Please do not use automated scanners or aggressive scripts.
A Note about our Known Issues
We have recently moved to HackerOne from BugCrowd, and as such there may be some issues that have been previously reported, haven't yet been addressed, yet aren't necessarily listed below. We take your time seriously, and have updated this below list, but there are a number of previously reported low-importance/low-impact issues that may not be fully covered by this list.
We get a lot of notes about these, so they get their own section:
DROWN ATTACK NOTE: (2016-03-02)
Don't report that we're vulnerable to DROWN unless you can show an IP and domain that match what you're attempting, and that are actually vulnerable. The DROWN test tool isn't giving you the info you might think it's giving you.
BREACH Attack: Unless you can confirm our mitigation approach isn't sufficient, please do not report this.
DMARC, DKIM, or SPF records missing on domains or subdomains.
- SSRF: Our
cacheendpoint (which caches images and is publicly accessible) and our template caching (available in the admin and via the API) make outbound GET requests. This is by design. Please do not report this as SSRF unless you can demonstrate accessing internal or otherwise privileged access.
The most important thing to note is how FoxyCart works. Please don't report the following behavior:
- Products can be added via a
POST, and a product's
price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms.
- These requests can be submitted to SSL from a non-SSL page.
The following finding types are specifically excluded from the bounty:
- Self-XSS and issues exploitable only through Self-XSS.
- Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
- SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
- Clickjacking headers not present on some of our subdomains.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- CSRF on forms that are available to anonymous users (e.g. the contact form, search form).
- Presence of application or web browser 'autocomplete' or 'save password'.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Banner disclosure on common/public services.
- No Strict Transport Security (HSTS) headers set.
- Some domains do not have proxy protection.
cache.phpwill cache/load images from 3rd-party domains. This is by design. (See the note about SSRF above.)
- Some forms do not have rate limiting / brute-force protections. (Please don't automate a ton of contact forms or anything.)
- Lookalike domains exist that we don't own or are unregistered.
- 3rd-party scripts are loaded within the admin.
- Account creation at
admin.foxycart.comdoes not have captcha or email validation.
- Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user, but you'll still get a 200 response. Also, we do IP-based blocking in certain other cases.)
- Login Page / Forgot Password page messaging, account brute force, or account lockout not enforced. (Again, there's enforcement in some areas, and we're aware of others already.)
- Password resets...
- Indicate whether an account exists or not.
- Don't generate an additional email to the admin user.
- Are sent via a link that's Base64 encoded.
- That link shows in the referrer header when loaded in the Foxy admin.
- Admin sessions are not invalidated on… certain events. In the situations where sessions aren't invalidated, this is a known issue. (Similarly, we don't support MFA yet, and don't have robust "suspicious" login detection. We're working on that.)
- Admin does not require re-authentication on certain actions.
- Logout Cross-Site Request Forgery (logout CSRF).
- Clickjacking is possible in certain old browsers that don't support
X-Frame-Options-Headerbut do support TLSv1.1+.
- There exists an edge case where it's possible to change an admin password without providing the original password. We are aware and working to diagnose. (If you can reliably reproduce, that'd be a valid submission. Otherwise it's a known issue.) (There exists another way to do this that we can reproduce, related to the password reset email URL. This is a known issue.)
- Generated CSVs may allow for Excel-specific functions to be output.
- RC4 encryption is used in legacy webhook systems.
Cart and Checkout issues:
- Form POSTs and GETs to
/cartare possible from http. (http->https MITM attack vector.)
- Cart requests do not require CSRF or have other protection (aside from the HMAC signing mentioned above).
- The ability to modify product parameters in a link or form, if the account has the HMAC signing functionality disabled. (Again, as mentioned above.)
- Clickjacking headers (and/or other mitigating precautions) not present on some of our subdomains.
- The session-specific referrer header can be manipulated, and is output to customers in certain situations.
- Password resets (and customer logins) indicate whether an account exists or not.
- It's possible create a duplicate customer account with an existing email under very specific circumstances.
- Form POSTs and GETs to
Networking and infrastructure:
- Host Header injection/modification/redirects. We're aware.
- It's possible to reveal an internal IP address if you modify a redirected request. This is an AWS ELB/ALB thing, and the IP revealed is not one of ours.
A Note about XSS
Please note: If you've identified an XSS issue (especially on on our
www site), please make sure it is actually exploitable beyond Burp Suite or whatever you're using. If you can't reproduce the XSS in a browser, we will likely consider it self-XSS, and an invalid submission.
A Note about CSRF
If you're reporting a CSRF issue and your POC includes the CSRF token, we will assume that you don't understand what CSRF issues are, nor how CSRF prevention works. Please, please don't report a CSRF vulnerability if your POC includes the CSRF token. (If you can get the CSRF token from a victim, show that.) It wastes considerable time trying to educate hackers about what CSRF is and why reports like this aren't valid.
Out of Scope: Other *.foxycart.com or *.foxy.io Domains
Foxy customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself. Please don't test our users.
For vulnerabilities found at the following subdomains, we make a distinction between the underlying system and our own modifications. For example, we use Dokuwiki for our wiki. If you find a security issue in our implementation of Dokuwiki, that may be valid and eligible for a reward from us. But an issue with Dokuwiki itself should be reported to them.
Note also that some of these domains are on shared hosts, or other environments we don't control. As such, certain ports may be open and/or services accessible. We don't necessarily control infrastructure for all of these domains, so feel free to report, but we'll most likely mark reports as informative unless it's something we actually have control over.